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i INTRODUCTION; OVERVI COMPUTER 


TWORK SE CERITY ENVIRONMENT 
A. INTRODUCTION 
1. The Military Computer Security Threat 
Computer security is a problem that plagues many computer centers. 
Computer security is especially important in the military where extensive automated 
data processing (ADP) systems control large forces and sensitive information. 


Moreover, 


the potential damage from penetration is growing with the ever increasing 
concentration of sensitive information in coniputers and the interconnection o 
these computers into large networks. Through computer penetration an enemy 
could, for example. compromise plans for emplovment, of tactical, fighters or 
compronuse operational plans and targeting for nuclear missiles. {Ref: I! p. 17| 


For example, one group of juvenile hackers “managed to shift the orbit of one 
Or more communications satellites.” [Ref. 2: p. 13] In terms of control of military 
forces, this type of penetration via computer could be a serious event in a command, 
control and communications (C3) context because C3 systems include computers, 
satellites and communications hardware. Thus, C3 computer networks, as well as 
other military systems, must continually operate in a secure manner. 

C3 networks and other military systems include computer networks, local 
networks, and local area networks (LAN). A computer network consists of one or 
more computers with the connected terminal devices and other related devices, such as 
modems and input/output channels [Ref. 3: p. 258]. A local network is a “small-area” 
communications network that provides interconnection for a variety of data 
communication devices. Moreover, a LAN is a “general-purpose local network that 
can serve a variety of devices and is typically used for terminals, microcomputers, and 
minicomputers.” {Ref. 4: p. 296] Given the preceding definitions, this thesis will 
consider a local computer network (LCN) and a LAN one in the same. 

Before addressing security of LANs, a C3 environment is addressed to provide 


an example and background of distributed processing. 
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2. Overview of LANs in a C3 Environment 

This section will provide a general definition of C3, a definition of distributed 
processing, a look at LAN support of distributed processing, some C3 environmental 
considerations for LAN, and lastly, a few C3 functional activities and applications. 

Many varied definitions of C3 exist; not all are agreed upon in military circles. 
There are variations such as command and control (C2) alone; C3; command, control, 
communications and intelligence (C31), etc. [Ref. 5: pp. 1-6]. For the purpose of this 
thesis the following definition from JCS Pub. | will be used. 


The exercise of authority and direction by a properlv designated conimander over 
assigned forces in the accomplishment of his mission. Command and control 
functions are performed through an arrangement of personnel, equipment, 
communication, facilities, and procedures which are employed by a commander 
in planning, directing, coordinating, ane eee forces and operations in the 


ed . 


accomplishment of a mission. [Ref. 5: p. 
Thus, a C3 system is used to support a decision maker (conimander). Moreover, 


sensors, automatic data processors (ADP), and communications equipment and 
systems are extensions of the decision maker's abilitv to gather, process, and 
dissenunate informiation. [Ref. 6: p. 618] 


For our purposes C3 will be used in a general way to indicate any type of command 
and Control (C235 Gs racic jssy.steme 

Given the above comments, a C3 system generally consists of human, sensor, 
communication and ADP components, along with any associated software. This thesis 
will only consider the ADP network aspects that relate to C3 in general. All man-in- 
the-loop and sensor considerations are ignored in this thesis because it deals strictly 
with LAN security. C3 is used as an application example because it is one military 
application that often involves distributed processing supported by computers and 
networks. 

C3 systems tend to be distributed configurations. Distributed processing 1s 
implemented via communications and computer networks. Current trends in C3 
systems are toward surviveable dispersed systemis in which distributed ADP will play a 
major role [Ref. 6: p. 638]. Distributed ADP is “data processing in an organization 
where some or all of the processing and storage of data is provided at different 


locations that are connected by teleconimunication lines.” Decentralized ADP is “data 


processing in an organization where the processing and storage of data are provided 
independently at various locations throughout the organization.” Any distributed 
computer system can support both types of processing. A combination of both can be 
used in a C3 system [Ref. 3: pp. 114,127]. Furthermore, pure distributed data 
management involves the increased sharing of responsibility (with users) for managing 
functions of processing, movement, and storage of information. The overall approach 
of distributed system developmient is “to develop a conceptual view. .. to provide a 
framework in which to manage distributed data management.” [Ref. 7: pp. 6-8] 
Distributed processing can be viewed as a hierarchical structure of computer 
systems and LANs. In this context, a local area network (LAN) will refer to a 
physically separate geographic part of a distributed computing/communications systen. 
It includes an interconnection of computer processors, terminals, sensors, etc., and the 
required software. Normally, all LAN components are channeled through a central 
point to communicate with other LANs and wide area networks, however multiple 
control points are possible [Ref. 8]. Moreover, individual computer systems make up 
LAN configurations. In the broader sense, the computer system supports some 
Kind(s) of functional application(s) through application software. The LAN also 


supports applications, only in a distributed environment. 


LANs have emerged as the practical way to evolve vesterday’s centralized, time 
Sharing coniputer system into tomorrow's truly distributed network of 
functionally dedicated, nucroprocessor based servers. 


Thus, LANs can be thought of as the “system bus” for locally distributed computing 
environments [Ref. 9: p. 69]. In other words, transfering data within the distributed 
LAN environment is similar to the transfer of data within a single computer svstem. 
The general environment a C3 system operates in 1s one in which “the rate, 
complexity, dimensionality, and uncertainty of events and of information about them, 
in both crisis and war situations, is rapidly increasing.” Understanding of events and 
force information is required for effective force management [Ref. 6: p. 620]. Thus, a 
commanders mission performance depends on his C3 system [Ref 10: p. 87]. To all 
that, computers can and are used to provide a qualitative superiority in areas were we 
are outnumbered. For example, computers are at the heart of the C3 process in the 


Air Force. The need for secure computer networks 
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is clear when we realize that. good C3 capabilities can double or triple force 
effectiveness: conversely, ineffective C3 is certain to jeopardize or deny the 
objective sought. [Ref. 1: pp. 17-18 


Generally, the driving force behind LAN and ADP security is to reduce or - 
eliminate potential damage from unauthorized system penetration. For example, given 
the Walker spy ring incident, consider this scenario: a Soviet agent aboard a U.S. 
Navy warship stealing the ship’s ability to fight by tampering with sensor and weapon 
software. An agent would accomplish this by inserting or modifving portions of 
software modules. “Like an invisible time bomb, the subverted software could lie 
hidden in the computer system, ready to explode in the form of catastrophic 
commands.” [Ref. 2: p.12] 


Given the processes/activities within a C3 system, 


information technology does not simplv help the, commander and his staff. but 
also stimulates the dévelopment of collective military creativity, in which the 
largest group of people, including those separated by great distances, can 
participate (in Druzhinin and Kontorov). [Ref. 6: pp. 619-620 


As a result, a LAN can help provide filtering in a wide variety of processing; from data 
collection to decision aids. Some examples include dynamic electronic maps, pointers 
and blackboards. [Ref. 6: pp. 627,636] 

In short, various “Department of Defense (DoD) computers handle virtually 
everything from targeting ICBM’s to parceling out spaces in the Pentagon parking lot.” 
[Ref. 2: p. 1] Given that “the flexibility of LANs for dynamic system expansion and 
reconfiguration is particularly applicable to tactical C3I applications,” the future should 
bring more advanced ADP networks supporting C3 with more versatile and accurate 
resolution and filtering. [Ref. 9: p. 69] 

3. LAN Security Problems 
| Earlier we mentioned some examples of LAN penetration that indicate 
security is especially important in the C3 arena. However, it is important to all 
government systems in general. Many government and militarv C3 svstems depend on 
some form of a LAN configuration. Thus, we will concentrate on small local level 
military LAN configurations with emphasis on security at the unit level. This section 
will address a few general computer network security points in terms of ADP target 


areas, espionage and internal vulnerabilities. 
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General ADP target areas include electronic emissions, loose personnel 


procedures, network interfaces, operating systems and physical access. Once an 


ADP/network target area is chosen, a system penetration can result in [Ref- 11: p. 81]: 


Observation - no direct effect in, or change in data. 

Extraction - copying data. 

Alteration - modification or change of hardware, procedures, or data. 
Addition of extraneous data. 

Use of hardware or software resources. 


The above penetration activities can result in “espionage”. It can be internal, 


like the Walker spv ring, or external from enemy sources and hackers. For example, a 


UCLA student broke into over 150 computer accounts in the Pentagon funded 
Advance Research Project Agency Network (ARPANET) [Ref. 2: preface]. Moreover, 


in an attempt to prove system security, Air Force tiger teams have penetrated Air 


Force systems which were thought to be tamper-proof. Tiger team findings and 


comments include: 


New teams found new holes, even after previous teams could not gain access. 
Holes generally result from human design oversight. 
It does not take a highly skilled expert to penetrate security. 


The access threat from outside sources is growing; communication tabs; 
microwave intercepts; etc. [Ref: l: pp. 23-24] 


Some common techniques used to commit computer-related fraud and abuse 


are listed below. 


COMPUTER-RELATED FRAUD 

e Entering unauthorized information 

e Manipulating authorized input information 

e Manipulating or improperly using information files and records 
e Creating unauthorized files and records 

e Qverriding internal controls. 

COMPUTER-RELATED ABUSE 

e Stealing computer time, software, information, or equipment 
e Entering unauthorized information 

e Creating unauthorized information files and records 

¢ Developing computer programs for nonwork purposes 


e Manipulating or improperly using computer processing. 


ie 


Examples range from routing government funds to personal bank accounts, to selling 
information. [Ref. 12: pp. 10-11,31] 

Obviously, given an application and threats of fraud and abuse, ADP security 
is required. By consequence, the level of security required for a network must be 
approved before operations begin. In the Army the ADP and network approval 
process 1s called accreditation. 

4. Accreditation Process 
One important result of concerns for ADP security in the Army is the 


accreditation process. 


The term ‘accreditation’ is used to describe the process where by information 

ertaining to the security of an Army data Reese activity (DPA), ATS 
automated telecommunications system), or network is collected analyzed, and 
submitted for approval. [Ref. 13: p. 30] 


The accreditation authority for systems processing critically sensitive (CS) 
levels of information are Headquarters Department of the Army (HQDA) or major 
command ({MACOM) commanders (general officers), depending on the system. For 
highly sensitive (HS) information, installation, post, or field operation commanders can 
be the accreditation authority. At the sensitive level the heads of the data processing 
activities (DPA) or centralized office automation agencies may be the accreditation 
authority. More on sensitivity, and accreditation is presented in following chapters. 
Nonsensitive systems do not need accreditation. [Ref: 13: p. 6] 

The accreditation authority reviews submitted system documentation and 
approves or disapproves it. Disapproval indicates that the level of risk associated with 
the system is not acceptable. The goal is to make sure the accreditation efforts relate 
to the specified svstem, and that the system is cost effective. [Ref. 13: p. 30] 

The variation in types of svstems, functions, and installations caused the Army 
to develop different accreditation standards and procedures. For example, Army data 
processing activities (DPA) and/or automated teleconimunication svstems (ATS) are 
grouped according to sensitivity categories and levels. 

The accreditation process is a critical review of a designated DPA/ATS prior 
to accreditation. The purpose: “to provide information which will enable the 
accreditation authority to determine that sensitive information can be processed within 


the bounds of acceptable risk.” By consequence, the analytical accreditation process 


requires, aS a minimum, investigation, information gathering, and formal review by 
command authorities at both the operating and accrediting levels. Understandably, 
accreditation evolves from completing a series of goal and objective statements, 
management reviews, operation and system descriptions, and other documentation and 
reviews. In addition, all documentation must be classified according to its sensitivity 
level) [Ref. 13] 

The process ends when “a formal, dated, statement of accreditation has been 
issued by the appropriate authority.” At that time the accreditation is effective. 
ficel. 13} 


B. PURPOSE 

The U.S. Army Combat Developments Experimentation Center (USACDEC) 
Directorate of Information Management (DIM), Fort Ord, is currently involved with 
several network implementations, all at various stages of development. Like many 
government agencies, USACDEC has it’s own inherent resource constraints, and wants 
adequate network security at an affordable price. During early stages of development 
they found almost no existing LAN security guidance. Given their networks would be 
approved in terms of existing guidance, and their requirement to process sensitive 
information, LUSACDEC/DIM was interested in an “outsider’s” interpretation of ADP 
security guidance in terms of LANs. Thus the following thesis statement was 


developed: 


Identify local computer network (LAN) regulation and guidance requirements 
that are valid and outdated, and LAN areas that are not adequately covered by 
purent regulations, to give system developers a better feel for security 
oundaries. 


In doing this, the purpose is not to look for a set or perfect solution, but to 
develop a background for security considerations during the development of a network. 
It is hoped that this will be used as a guide or a tool for identifying security bounds 
during system development or expansion. The reason, of course, is that there are parts 
of regulations and guidance that are left to interpretation. To all that, it is common 
knowledge that computer technology is constantly changing for the better, assuming 
it’s application is not used by upper commmand/management levels to “nucro-manage.” 
Or, in the ADP context, it is not used by upper level commanders to access detailed 


information at the work level. In addition, current regulations cannot keep up because 
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many new ideas for regulations and ADP protection “have been sidetracked in the rush 
to modernize computer systems and continually update software.” [Ref. 2: p. 3] As a 
result, a certain level of risk must be accepted by the system developers and sponsors. 

Given the wide variety of computer systems and computer networks that exist 
within the DoD, a generic baseline system is used as a guide. It consists of basic 
components that can be found in and on many DoD and Army networks. The 
purpose here is to provide general technical network background information for 
configuration security analysis, and give the reader some frame of reference. As a 
result, the general baseline analysis is in terms of configuration hardware, software, and 
interfaces at a conceptual level. Hence, the scope of the thesis is limited mostly to 
configuration security; physical security and operational considerations are limited, and 
personnel security is only mentioned in certain areas. Furthermore, the thesis is 
intended to serve as a guide for identifying network guidance requirements for svstem 
components and the overall system configuration. The system configuration and 
component topics are identified in Chapter II. 

It is hoped that this thesis will provide the system developer with a gutde/tool 
that will help him/her focus an accreditation effort, develop the system, examine 
potential expansion alternatives, become aware of operational constraints, and develop 


possible accreditation methods and strategies. 


C. ASSUMPTIONS 
The following assumptions are made to help limit the scope of the thesis. 


e All comments concerning guidance applicability are restricted.to the guidance 
referenced in this thesis. Note: a list of the guidance can be found in ae 
III. Army. guidance reviewed was supplied bv USACDEC/DIM; all other 
(Doe etc.) guidance was selected for review by USACDEC;/DIM, but obtained 
else where. 


e The generic baseline used could be a microcomputer, minicomputer, mainframe 
computer based network, or any combination. 


¢ Specific brands of software and hardware will not be mentioned unless they are 
a part of many DoD systems. 


e The thesis assumes basic building construction of facilities housing LAN 
components is adequate. 


e A risk management analysis is complete. Risk management is explained in 
Gnaprer pur 


e A “network” has the same basic functions and requirements as a LAN. Thus 
any references to a “network” in the guidance, pertains to LANs as well. 


¢ Automated data processing (ADF) is used in a general way to represent 
coniputer systems. 
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e The thesis audience is mostly Army or DoD personnel with an. ADP 
background; Army commanders, managers, or security managers considering 
insta its of a network for the first time; and ADP security managers in 
general. 


e¢ No command-unique regulations or guidance documents are referenced. 


D. OVERVIEW OF CHAPTERS 

The chapters that follow address the generic baseline configuration, a review of 
current security regulations and guidance, network development considerations 
pertaining to security requirements, and potential security approval methodology. 

More specifically, Chapter II defines the generic baseline LAN configuration in 
detail. Hardware that may access the network will be identified. In addition, the 
system software identified will be based on actual software currently in use on some 
Operational networks. Types of tailor-made and off-the-shelf application software will 
be identified. Examples of possible applications of a network similar to the generic 
network will be identified. Moreover, environmental considerations will be addressed 
in a limited fashion, and physical hardware lavout will be restricted to hardware 
interface relationships (no detailed building or floor-plan layouts). 

Chapter III will give an overview of the LAN security considerations for the 
generic LAN baseline described in Chapter I]. What's more, it will categorize security 
regulations and guidance to determine what currently applies and what is outdated 
Also, parts of the LAN that are not covered by current regulations will be identified. 

Network development considerations pertaining to system high requirements and 
multilevel requirements are identified in Chapter IV. A general strategy is developed 
pertaining to the generic baseline system. It addresses regulations that apply, current 
Operations, and future expansion. Furthermore, the relevancy of regulations are 
considered. Interpretations of the regulations are suggested. 

Approval methodology is addressed in terms of accreditation requirements in 
Chapter V. First, the basic Army accreditation process is outlined and important areas 
are highlighted. Then, gaps between what security regulations state and what exists in 
the generic network are considered in terms of the accreditation process. Note that 
directions for accreditation preparation are not presented; only general strategy 
considerations. 

Finally, Chapter VI presents conclusions and summarizes the areas the thesis 
examines. Additionally, some recommendations are presented in terms of general 


protection, important guidance, and future research suggestions. 
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Il. A GENERIC “BASELINE” CONFIGURATION 


A. BACKGROUND 
1. Introduction 
In Chapter I a local network was defined to be a small-area general 
communications network, in contrast to a LAN which is a general purpose local 
network that is typically used as a computer network. Thus, the basic configuration 
concepts are the same for both networks. Even though this thesis is concerned with 
the automatic data processing (ADP) applications of LANs, other devices that can 
communicate over a LAN transmission medium (1.e. data communication devices) 
include sensors (temperature, humidity, security, etc.), telephones, and televisions. 
Moreover, the geographic scope of a LAN is small, usually serving a building or a 
group of buildings not covering more than a few tens of kilometers. Two examples are 
a canipus. of a military bases] Meme al 
As a general rule, key characteristics are high data rates, short distances, and 
low error rate. In a well designed network, additions and replacements can be made 
With little impact on the other devices on the network. In addition, control of the 
network can be distributed. [Refs. 4,14] . 
This chapter will look at configuration components, applications, the 
environment, and expansion in relation to the generic LAN “baseline.” 
2. Benefits and Pitfalls 
A local network improves the reliability, availability, and survivability of an 
ADP facility through redundancy. In other words, many separate device nodes and 
links ensure continued operation when part of the network is damaged or under repair. 
Other general benefits include: 
e Improved system responsiveness/performance. 
e Use ofa single terminal to access multiple computers. 
e = Flexibility of equipment location. [Ref. 4: pp. 2-3] 
One major pitfall is that the addition of new applications or enhancements 
risks the introduction of errors and the reduction of performance of the entire system. 


Other general pitfalls include: 
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e Interoperability/interface problems with diverse types of equipment. Special 
format-conversion software may be needed. 


e Loss of control -- it is hard to control information, enforce standards, protect 
and secure, and manage, distributed systems. [Ref. 4: pp. 2-3] 


3. Reasons for a LAN 
General reasons for implementing a LAN include: 
e Resource sharing; transmission of information; economizing on terminals, etc. 


e Future transitions to new svstems is enhanced because it provides a mechanism 
to put the old and new computer on the same network. 


e Expansion. 
e Provide vendor independence (related to expansion). 


e Easy to add devices to an existing cable plant.. Assuming cable was laid to 
allow for expansion, i.e. throughout a building. [Ref. 15: pp’ 186-187] 


The generic base-line network configuration for this thesis (reference Figure 
2.1) will be based on a collection of host computers, a computer branch exchange, and 
Ethernet. Both Ethernet and the computer branch exchange (CBX) control routing 
and transmission of data throughout the network, and both are explained below. 
Many Department of Defense (DoD) agencies are currently using these components 
and a baseline is needed for reference in terms of the security regulation analysis. The 
collection of host computers could be mini, micro, mainframe, or a combination of any 
of these, although the exact tvpe of computer is not important for our level of analvsis. 
The base-line configuration is intended to provide a vehicle for a general description of 
basic LAN components, what they do, how they relate to each other, and how they are 


applied to a LAN configuration. 


B. NETWORK CONFIGURATION COMPONENTS 
1. Component Overview 
There are components and functions common to all LANs. This section 

defines and explains basic characteristics and functions for some of the following 
components: 

- Topology 

- LAN protocols 

- Digital switches and Computer Branch Exchanges (CBX) 

- Networking interface 

- Internetworking (gateways) 

- Transmission media 


- Ethernet (because selected for the baseline) 
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Figure 2.1 Generic Baseline Configuration. 


2. Topology 
There are three main architectural alternatives for LANs; bus/tree, ring, and 
Star. Reference Pigure)2)2 | Reis taeau| 
a. Bus|tree 
In a bus topology the transmission medium 1s a linear cable shared by all 
stations and devices. Each station or device is attached to the medium and receives or 
sends information by bidirectional transmission of signals which propagate the length 
of the medium [Ref. 4: p. 295]. A tree is also defined as a topology in which stations 


and devices are attached to a shared transmission medium, but the cable branches out 


LOCAL NETWORK ae nat 
TOPOLOGIES 





fo 


STAR RING 


Sie 


BUS 


Figure 2.2. Basic Architecture Alternatives. 


from a device called a headend. A headend is the end of a multichannel bus or tree 
network. Stations/devices transmit to, and receive from the headend. The headend 
enables each station or device to receive and transmit signals among the tree branches 
[Ref. 4: p. 298]. Bus topologies are usually single channel (baseband); and trees must 
always be multi-channel (broadband). For a more detailed description of baseband and 
broadband see Tutorial Local Network Technology Section 2 [Ref. 4]. 

Bus or tree topologies only allow one pair of devices to communicate at a 
time because all devices share a common communications medium. In terms of 
transnussion media, trees usually use coaxial cable, but sometimes use twisted pair 
cable for low performance applications. Transmission media will be addressed later in 
this chapter [Ref. 14: p. 8]. 


Problems can arise from the shared access nature of the bus or tree 
topology. One example of a major problem is determining what station should 
transmit and when. Another problem 1s adjusting the signal strength to required levels 
between devices before transmission (signal balancing). These problems are magnified 
with many different types of devices and their unique characteristics [Ref. 4: pp. 
35-36]. Protocols manage some of these problems and are discussed later in the 
chapter. 

b. Characteristics of Ring LANs 

For computer-to-computer communications, the ring is often the most 
efficient topology [Ref. 14: p. 8]. A single closed path is formed when repeaters are 
connected by unidirectional transmission links [Ref. 4: p. 36]. A repeater is a device 
that receives data on one communication link and transmits it sequentially, bit by bit, 
on another link around the ring from one repeater to the next. The repeater is an 
integral part of the ring topology because it transmits data as fast as it receives it 
without buffering, and connects linear segments in a ring network. Data is readable bv 
all attached stations/devices. [Ref. 4: p. 297] 

Twisted-pair, baseband coaxial, and fiber-optic cables can all be used as 
transmission media to provide the repeater-to-repeater links. Broadband coaxial, 
however, could not easily be used because transmitting data on multiple channels 
requires more than just a repeater. Functionally this would require asynchronous 
transmitting and receiving, which is more complicated. [Ref. 4: p. 37] 

c. Star Topology 

All stations are connected to a central switch in a star topology. Any two 
Stations in the LAN communicate via circuit switching. Circuit switching is a 
communication method that establishes a dedicated communications path to connect 
two devices through one or more intermediate switching nodes (i.e. circuit switches). 
Digital data is sent as a continuous stream of bits. Conceptually, a pure star topology 
Only has one switch (see Figure 2.2). As a result, delay is limited to propagation time 
and channel bandwidth is guaranteed. [Ref. 4: pp. 295,297] 

3. LAN Protocols 
LANs need a means of controlling access to transmission media so any two 
devices on the network can control data when required [Ref. 4: p. 37]. Protocols 
provide this necessary access control so that the network transmission media can be 


shared. A protocol is defined as 
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a set of rules governing the communication and the transfer of data between two 
or more devices in a communication system: the rules define the handling of 
certain communication problems, such as framing, error control, sequence 
control, transparency, line control, and start-up control. [Ref. 3: p. 303] 


A protocol is implemented within a LAN via software, firmware, etc., in the associated 
LAN devices. 

In a protocol, the transmission medium access control technique 1s based on 
two parameters. The first is the control location (“where”), i.e. centralized or 
distributed, and the second parameter is “how”. In the “where” parameter, a 
centralized scheme may afford greater control over access, allow logic at each device or 
station to be as simple as possible, and avoid problems of coordination. On the other 
hand, a centralized scheme may act as a bottleneck resulting in a single point of failure 
and a reduction in efficiency. Distributed scheme pros and cons are a mirror image of 
the above points for the centralized scheme. In both schemes, the “how” parameter is 
a trade-off among competing factors, such as those of cost, performance, and 
complexity. Thus, the parameters are constrained by the topology of the particular 
centralized or distributed network scheme. [Ref. 4: p. 37] 

[In all common medium access control techniques, multiple data transfers 
share a single transmission capacity. The most common access method for LANs ts 
the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) in the random 
access category, token bus for bus and tree systems, and token ring for rings. 
[Ref. 4: p. 37] 

CSMA/CD operates as follows. Traffic already on the network channel has 
priority, and only one station can transmit at a time. Each station on the bus listens 
and waits until the channel is clear before transmitting. Collisions occur when two 
stations try to transmit at the same time. When collision occurs, both stations will 
detect it and cut short the transmission, then wait a short period of time before trying 
another transmission. [Ref. 14: pp. 9-10] 

Token bus is a more complicated medium access protocol than CSMA/CD. 
In token bus, stations on the bus form a virtual ring where each station is assigned a 
position in an ordered sequence. The first station transmits to any or all the other 
Stations. When the first station 1s done it passes a control token to the next station in 
the sequence. This process continues for all stations, and then repeats. [Refs. 3,14: pp. 
276-277,10] 
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Token ring works in a way similar to token bus except the control token 1s 
constantly circulating. Transmission is possible only if a station has the control token. 
Thus, when a station wants to transmit, it grabs the control token, and then returns 
the control token to circulation when it is finished. [Ref. 14: p. 10] 

4. Digital Switches and Computerized Branch Exchange (CBX) 

A computerized branch exchange (CBX) is a combination of digital switching 
and telephone private branch exchange (PBX) technologies. The CBX is defined as “a 
digital PBX that also handles data devices without modems.” Usually a digital switch 
refers to a system that only handles data over a star topology LAN. A PBX is a 
telephone exchange on the user’s premises that provides a switching facility for 
telephones on extension lines within a building or local area. In addition, it provides 
access to the public telephone network. Modern digital PBX characteristics include: 

- Use of digital phones to permit integrated voice/data workstations. 


- Distributed architecture. Multiple hierarchical switches with distributed 
intelligence. 


- Dedicated port assignments for all attached devices. 
Thus, a modern PBX can be used for local area computer networks. This thesis will 
refer to all modern CBXs and PBXs together as “CBXs”. [Ref. 4: pp. 134,295,297] 
a. Characteristics 

The CBX and the digital switch are major LAN alternatives for handling a © 
wide variety of local networking requirements. One of the most important 
characteristics is that the stations are usually connected by twisted pair to a central 
switching unit (star topology). The CBX uses circuit switching to establish a dedicated 
communications path between two devices wishing to communicate and guarantees the 
data rate, or “bandwidth”. Moreover, while data rates may be limited (64 Kbps), total 
capacitv (throughput) can be high (500 Mbps) [Ref. 4: p. 133]. Even though higher 
throughput limits can be achieved with a bus or a ring topology, a key distinguishing 
feature of the CBX is the transparency which it offers due to circuit switching 
[Ref. 14: p. 10]. 

A digital switch differs from a CBX in that it only handles data traffic and 
not voice traffic. Digital switching techniques have been used to build many digital 
switching products designed for data-only applications, i.e., a digital switch does not 
provide telephone service. In sum, the major function of a digital switch is to make a 


connection between two attached lines This is accomplished via two sub-functions. 
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The first is port contention which is used for host-to-terminal connections when a 
limited number of ports are open for a larger number of terminals. The second sub- 
function, port selection, is an interactive process of allowing an application program 
Or user to select a specific port or connection. If the switch did not allow this 
capability, only connections that were pre-configured by a svstem operator would be 
possible. Notice that for brevity, we have assumed that the control unit of the switch 
can talk to the requesting port. [Ref. 4: p. 133] 
b. Architecture 

Manufacturers have developed a variety of CBX architectures. They are 
proprietary, so the details are not generally available in most cases. Thus, the general 
architectural features common to all CBX systems will be presented. [Ref. 4: p. 134] 

nlevines.- olllmsenaties sa eenence CBN architecture. Note that the CBN 
degenerates to a digital switch architecture if you eliminate the voice features. 
eeied6: p. 237] 


Voice Line [| Services 
Group = z Unit 
et i Sl Services 
Unit 


Vowe Line | | ( aed 
Group : aed nit 
= 


Duta Line 


Group 
SWITCH 
DataLine | | | Protocol 
Group i Converter 
al 


al onverter 





Figure 2.3. Generic CBX Architecture. 
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The heart of the system is a digital switching network that has a series of 
interface units attached. They provide access to or from the outside world. Multiple 
incoming lines (usually 8-24) are multiplexed by the interface unit for input to the 
switch. The control unit exchanges control signals with attached devices and operates 
the digital switch. Service units include dialed-digit registers and tone and busy-signal 
generators. A trunk is a communications channel between two switching centers that 
normally consists of a group of lines enclosed in a single casing. Trunk interface units 
are used to connect off-site locations, and protocol converters connect dissimilar lines. 
[Refs. 4,16: pp. 134-136,566] 

This generic architecture is reliable because the failure of any interface unit 
means the loss of only a small number of lines. Key elements like the control unit can 
be made redundant. [Ref. 4: p. 136] 

5. The Network Interface 
All network devices must share a common LAN protocol to be compatible. 
There are three general ways that devices can attach to a LAN. The first is the 
“homogenous/single-vendor approach” where everything is guaranteed to be compatible 
by the vendor. In other words, each device can physically connect and operate with 
nunimal interface software and handle the same protocol. Second, is the “’standards’ 
approach”. The standards approach is an interconnection problem because current 
standards tend to freeze technology when new interfaces are developed. Furthermore, 
new standards for interfaces are constantly on the drawing boards and often become 
obsolete as soon as they are issued [Ref. 16: p. 121]. Last, is the “standard network 
interface approach” in which network operation details are hidden from the device 
[Ref. 4: p. 173]. Given the various ways to make LAN interconnections, some sort of 
network interface unit (NIU) 1s required to attach a device/station to a LAN. 
Typically, the NIU is a microprocessor-based device that functions like a 

communications controller to provide data transmission service to the attached device. 
General NIU functions include: 

- Accept data from connected device. 

- Buffer the data until medium access is obtained. 

- Transmit addressed data packets. 

- Search for packets on the medium that have the device’s own address. 

- Load the packet into buffer. 


- Transmit data (at the proper data rate) to the attached device. 
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Usually the hardware interface between the NIU and the attached devices is a standard 
serial communications interface such as RS-232C. In data communications, the 
RS-232-C is a set of standards specifving various electrical, mechanical, functional, and 
procedural characteristics for interfaces between computers, terminals, and modems. 
The NIU can be an outboard device (a stand alone unit) or an inboard device (one or 
more circuit boards attached to the device’s bus). Another important characteristic of 
the NIU is that it must, at a minimum, implement the LAN protocol. A generic NIU 
model is depicted in Figure 2.4. [Refs. 3,4,15,16] 
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Figure 2.4 The Generic Interface Model. 


6. Internetworking 
Internetworking is the communication among devices on two or more 
networks. The bridge and gateway are two common methods used to provide 
internetworking. The simplest is the bridge because it is for homogeneous local 
networks, i.e. the same interfaces and protocols. Typically, it is used for network 
interconnections involving one-vendor hardware. This thesis will focus on the more 


complicated gateway. Reference Figure 2.5. [Refs. 4,16] 
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Figure 2.5 Interconnected Networks (Catenet). 


A gateway is a device that connects two systems, usually svstems that use 
different protocols. For instance, a gateway would be used to connect two independent 
local networks or to connect a local network to a long-haul network. As a result, a 


gateway device is complex because it must accommodate differences between networks 
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_ ____ {local and long-haul). These differences include: addressing schemes, maximum packet___ 
size, network interfaces, time-outs, error recovery, status reporting, routing techniques, 
access controls, and connections. Thus, protocols are the major cause of gateway 

design issues. [Ref. 4: pp. 229-231,296] 


Different protocol approaches can be used to accommodate these network 





differences. In fact, a different gateway must be built for each pair of networks, which 
is hard to manage from an internetwork standpoint. In contrast, an internet protocol 
(IP) is a better approach. The idea behind the IP is that the gateways and stations 
share a common protocol only for internetwork traffic, while normal intranetwork 
Operations are undisturbed. This enables one to eliminate internetting capabilities from 
the local network and puts the burden for the IP on the gateway. Additionally, the IP 
concept is taken one step further in a catenet which is a collection of interconnected 
networks using an IP. [Refs. 4,15] 
7. Transmission Media 

A transmission medium is defined as the physical path between network 
transmitters and receivers in a cOmmunications system. Common media include 
twisted pair cable, coaxial cable, radio waves, optical fibers, and infrared transnussion 
through the atmosphere. The geographic scope of these media is the maximum 
distance between different points on the network. Noise is a contamination of the 
network that includes effects of distortion and interference. Different media have 
varied immunity to noise, due to their construction and nature of operation. 
eel. |7spp. 19,21] 

Traditionally, twisted pair, coaxial, and fiber optic cables are used to transmit 
information within a LAN and are the media our generic configuration will use. 
Understandably the physical channel produces certain constraints on factors important 
to the network manager in terms of the amount and quality of information transnutted. 
fivciesl 7: p. 21} 

a. Twisted Pair 

Twisted pair is just that, a pair of wires that form a transmission line/cable. 
The transmission distance depends on signaling techniques and quality of wire. 
Twisted pair can be used for both multipoint and point-to-point in analog or digital 
transmission. Moreover, multipoint service data rates and distance are restricted. In 
addition, twisted pair provides one data path known as the “baseband”, which consists 


of a bidirectional digital signal [Ref: 16: p. 32]. Usually twisted pair is used for low 
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speed transmissions. In short, point-to-point is better than multipoint for LAN 
applications, and most applications restricted to buildings or a few close buildings. 
Furthermore, extra protection is required for twisted pair, especially when it runs 
outside buildings. [Refs. 14,17: pp. 7,22-23] 

Geographic scope is an important parameter in terms of network security 
for twisted pair. The reason is that energy loss increases with distance between devices. 
What’s more, the transmission line acts like a transmission antenna and allows 
motivated outsiders to detect and receive that energy. Under the right conditions 
normal LAN transmission distances can range up to 15 kilometers. [Refs. 14,17: pp. 
1,22-25] 

The CBX is the most common contemporary network implementation 
using twisted pair transmission lines among network nodes. Hence, twisted pair 
connections are usually from device to central switch, intermediate switch, or 
multiplexer Nel eee 

b. Coaxial Cable 

Construction of coaxial cable is more complicated than twisted pair. There 
1s an internal conductor wire with an outer conductor concentric with and completely 
surrounding it. Coaxial cable is used for point-to-point applications. Besides that, it is 
particularly good for multipoint topologies, yet it can be used for simple to 
sophisticated conventional topologies (star, ring, bus, etc.), and variations of the above. 
In fact, coaxial cable networks are well suited to bus/tree architectures, that may be 
used for office automation, laboratory, and process control environments. [Ref. 17: pp. 
24-26] 

Both baseband and broadband coaxial transmission distances depend on 
tolerable delay, load, and implementation. Unlike baseband, broadband provides 
multiple and separate data paths (channels). Maximum distances in typical baseband 
coaxial networks are limited to one to three kilometers, while broadband networks can 
span areas of ten kilometers or more (fifty is a practical upper limit). Capacity is mid- 
range between twisted pair and fiber optic cable (fiber optic is covered next). In short, 
broadband coaxial cable can provide a high throughput for a large number of devices. 
[Reiss lai pps. 25) 

Even though coaxial cable has a different construction than twisted pair, it 
may still “act as an antenna allowing an eavesdropper to tap into the line with pickup 
coils appropriately placed.” As a result, geographic scope is an important network 
security parameter for coaxial cable. [Ref. 17: p. 24] 
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c. Fiber Optics 

Compared to conventional twisted pair and coaxial media, optical fiber has 
a completely different construction and composition. One optical fiber has a center 
core of plastic or glass material with a high index of refraction. Each fiber is 
surrounded by a cladding layer of a material with a slightly lower index of refraction. 
The cladding laver isolates the fibers and prevents cross talk between adjacent fibers. 
An optical cable consists of a group of discrete optical fibers that each transmit a light 
signal from one end of the cable to the other. [Ref. 17: p. 26] 

Some fiber optic cables include a steel stabilizing central member. This 
type of cable should be avoided in applications where computer security is of 
importance because the steel stabilizer acts as an antenna for the signals, even though 
fiber cable does not use the steel stabilizer for transmission. Without a steel stabilizer, 
fiber optic cable is tap proof because the number of passive taps are currently limited 
by the properties and composition of the cable. So in relation to network security, 
fiber optic cable can provide a non-emanating media that requires less physical 
protection than twisted-pair or coaxial cable. [Ref. 17: pp. 27-29] 

A signal-encoded beam of light is transnutted through an optical cable to 
produce high transmission capacities. Data rates are as high as a few gigabits per 
_ second over a single glass fiber. {Ref. 17: pp. 26-27] 
| Current applications include long-haul computer-to-computer high speed 
links, long distance terminal and processor connections, links between buildings, and 
communications trunks between complexes at opposite ends ofa city. [Ref. 17: p. 28] 

8. Ethernet 

Ethernet is a packet switched, multi-accessed communications svstem for 
carrying digital data among locally distributed computing systems. It is a passive 
broadcast medium with no central control for the network communication channel. 
Channel access is coordinated in a distributed fashion by the stations wishing to 
transmit. Ethernet was originally developed by Xerox. The current updated version of 
the Ethernet design was jointly developed by Digital Equipment Corporation, Intel, 
mam erOx. {Ref. 18: p. 39] 

Ethernet access techniques are based on CSMA/CD (mentioned above). The 
basic components consist of a station, controller, transmission system, and controller- 
to-transmiission-system interface. The “station” is the basic addressable device 


connected to an Ethernet; it may be a terminal, computer, or some other ADP device. 
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As a general rule, the set of functions and algorithms needed to manage access to the 
channel are referred to as the controller. The transmission system includes a broadcast 
transmission medium, the appropriate transnutting and receiving devices, and all the 
components used to establish a communications path among the controllers. The 
Ethernet interface is fairly simple because the controller does much of the work. For 
instance, the protocol for managing access to the transmission system is implemented 
in the controller, and the controller manages the communications process. 
[Ref. 18: pp. 40,44] 

Applications intended for Ethernet include office automation, distributed data 
processing, and terminal access. The driving force behind it’s development was to 
provide economical connection to a local communication medium carrying bursts of 
traffic at high peak data rates. [Ref. 18: p. 53] 


Security of Ethernet svstems is summarized: 


Protection, security, and access control are all svstem-wide functions that require 
a comprehensive strategv. The Ethernet svstem itself is not designed to provide 
encryption or other mechanisms for security, since these techniques by 
themselves do not provide the kind of protection most users require. Security in 
the form of encrvption, where required, is the responsibility of the end-user 
processes, [Reialt: pan! 


9. The Generic Base-line Configuration 

As mentioned above, the configuration illustrated in Figure 2.1 is used for 
illustration only. It represents the majority of basic components typical of LAN 
applications. A point of interest is that it uses the Ethernet and CBX LAN 
configurations together on the same LAN. The idea is to have a more responsive 
system by separating host traffic on the Ethernet and device traffic on the CBX. In 
terms of the generic base-line, the majority of devices connected via the Ethernet are 
considered to be host computers, and the majority of hardware accessing, or connected 
to, the LAN via the CBX will be considered to be devices (personal computers (PC), 
terminals, printers, etc.). 

In reality, numerous combinations of microcomputers, mainframe computers, 
personal computers, peripherals (printers, disk drives, etc.), and terminals could be 
attached to the network. For the purpose of this thesis, it will be assumed that twisted 


pair, coaxial, or fiber optic cable could be used (in appropriate locations). 
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C. POSSIBLE USES/APPLICATIONS 

An application is a “system” that has been defined to be suitable for 
implementation of electronic data processing techniques [Ref. 3: p. 22]. Common 
applications include word processing, data base management systems, spread sheets, 
and mail (message) systems. Specific applications can be developed and tailor-made 
for a user. Many applications can be purchased “off the shelf’, while others are 
extremely complicated (space shuttle systems, navigation systems, C3 systems etc.). 

For the generic baseline configuration this thesis will assume that all the common 
applications can be run, and that a high volume of mail traffic exists as a result of 
tailor-made applications. Two examples of high volume mail/message environments 


are C3 and large scale technical analysis operations. 


D. ENVIRONMENTAL CONSIDERATIONS 

“Computers have been shot, stabbed, stolen, and intentionally electrically shorted 
out.” Environmental security once meant keeping a computer facility surrounded by 
locks, fences, guards, etc. Today's environment is much different with manv small 
powerful computers, portable terminals, etc. Physical security concerns include 
controls that protect against natural disasters like fires, floods, or earthquakes; 
intruders or vandals; and environmental hazards like power fluctuations. Physical 
Security controls are needed to regulate the environment surrounding the computer. 
Additionally, the environment includes areas not covered in this thesis: program 
libraries, logs, records, magnetic media, backup storage areas, and utility rooms. 
feel, 12: p. 21] 

In sum, environmental security is more concerned with the physical ADP security 
arena. This thesis will be concerned more with security of the LAN configuration than 
actual physical device and building security. Nevertheless, there will be aspects of the 
configuration analysis that address certain physical threat areas (natural disaster, 
inadvertent actions, and deliberate actions). Consequently, an overview of 
considerations for physical access, electrical power, and the general environment will be 
presented. 

Environmental factors follow with a _ brief explanation of threats or 
vulnerabilities, and general safeguards. 

1) Physical building security -- vulnerable areas are adjacent to, within, above, 
and below any building containing an ADP center, ADP equipment, computer 


equipment room, miedia librarv, utilitv sources, and alarm systems, especially 
at, periges pier than normal work hours. Safeguards include [Ref. 19: pp. 
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2) 


3) 


4) 


5) 


6) 


E: 


a) Building design: ADP center isolation; limited access routes; integrity of 
construction; reinforcement; underground communication/power lines; 
extensive lighting. 


b) Physical barriers: fences; barred windows; locks; automated access 
systems; man-traps; secure storage containers (safes, etc.). 


c) Guards and receptionists. 

d) Electronic monitors -- includes intrusion detectors and object detectors. 
e) Administrative procedures: access lists, sign-in logs, badges, etc. 

f) Visitor control: authorization; inspection; records; etc. 


Electric power -- basic threats are transients; brownouts; blackouts. 
Moreover, power surges can alter programs, erase memory, and destroy 
microcircuits. _ Possible safeguards include monitoring ‘devices, spike 
suppressors, voltage regulators, dual feeds, and diesel generators. [Refs. 12.19] 


Environment -- basic threats are temperature extremes, humidity, and particle 
contaminants. Safeguards include monitoring devices, redundant air 
conditioning, access to outside air for emergency Ventilation, dust covers, bans 
on smoking. [Refs. 12,19 


Fire -- prevention includes building construction using fire resistant materials, 
and fire partitions and dampers where possible: ADP center isolation; periodic 
fire inspections; proper sprinkling systems. [Refs. 12,1 


Flooding -- threat sources. include flood plains, water storage areas, 

Wwater’steam Pues and building leaks. Safeguards include building location 

Ene syem ADP center location, water seals, and drain systems. [Ref. 19: p. 6 
-5 


Other considerations. 


a) Neighboring threats: chemical or explosive operations, construction 
gouges airports, major roads, and high crime areas. [Ref. 19: p. 7 FZ 
“2 


b) Electromagnetic interference include: elevators, cleaning, equipment, 
oy lines. radio and TV transmitters, microwave communications, and 
DAR. [Ref. 19: p. 7 FZ S-50] 


9) Communications failure: must provide adequate. protection of 
communication links. [Ref. 19: pp. 1 $-27 Atch 13,1 S-28 Atch 4] 


d) Computer hardware failure: prevention includes proper maintenance 
procedures and record keeping. security clearances for maintenance 
people, and contingency plans. [Refs. 12,19 


FUTURE EXPANSION 


In general, there is a lot of flexibility and room for expansion in a LAN 


configuration because it can provide for the interconnection of a variety of data 


communication devices, an increased number of device nodes, and can be connected to 


other networks via gateways. To all that, more “applications” could be added, 


assuming appropriate hardware capability exists. 


For instance, the generic configuration presented in this thesis could be expanded 


to provide standardized templates or “boiler-plates” for queries, menus, reports, data 
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bases, RDT&E testing, DoD systems acquisition, etc.; generic data analysis; and 
project management. Also, expert systems could be implemented to assist with test 
and project planning. Thus, a LAN configuration is a natural tool to develop 
applications, prototypes, testing methodology, etc., via easy network interface allowing 
faster production and testing of configurations. This includes analysis of LAN 
computers, terminals, transmission media; and design of benchmark and LAN 
configurations. 

Clear, too, is the possibility of internet network connection via gateways or 
bridges to wide-area networks. A single LAN configuration might be expanded to 
include multiple gateways to the same wide-area network, or several wide-area 
networks, via modification of existing device nodes and/or addition of gateways. 

Given the generic LAN components and future expansion possibilities covered in 
this chapter, network management becomes more complicated when the network 
processes sensitive information. Security can be best applied early in the network 
design stages, but first a network manager needs to have a feel for the security 
guidance that applies to his or her network. The next chapter provides an overview of 
some existing security regulations and guidance and how it applies to LANs and 


networks in general. 
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Ill. SECURITY REGULATION AND GUIDANCE OVERVIEW 


A. INTRODUCTION 
Once any network (or ADP system) is required to process sensitive information, 
security measures must be implemented. In general, the degree of information 
sensitivity determines the extent of security control required for the system. Thus, the 
LAN configuration must be shaped to meet the security requirements for a given level 
of sensitivity. 
1. Scope 
a. What is Covered 
In general, topics within selected regulation and guidance that pertain to 
ADP networks (i.e. LANs) are addressed along with limited risk management, physical 
and environmental aspects. Also, limited accreditation items relating to Army 
Regulation (AR) 380-380 ADP network accreditation requirements are addressed in 
this chapter. The accreditation process is discussed in more detail in Chapter V. Also, 
Chapter I may be referenced for an accreditation overview. 
Regulation and guidance topics referenced by this thesis are placed in four 
broad categories: 
1) Regulations and guidance that apply to LANs. 
2) Regulation and guidance that DO NOT apply to LANs. 
3) Outdated regulations and guidance, i.e. no longer applies 
4) LAWN areas and topics not covered by regulations etc. 
All the categories are concerned with any ADP requirement that relates to networks as 
Well as network specific requirements. Given the parts of the generic network 
description in Chapter II, applicability of guidance is based on general system-wide 
considerations and component level considerations. For example, a system-wide 
consideration is the sensitivity level(s) of information an entire system will handle. 
Thus, the corresponding sensitivity guidance is applied. Similarly, guidance for a 
remote mainframe computer terminal would be applied to network terminals (a 
network component). This approach is applied to all LAN component and “system- 


level” areas. 
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b. What is Not Covered 
Personnel requirements are not covered by this thesis. Topics such as 
sensitivity of classified information that relate to personnel security are addressed. 
2. Background 

There is almost nothing in the guidance reviewed for this thesis that pertains 
to “LANs” specifically and very little in terms of direct references to “networks” in 
general. But, the guidance reviewed does address ADP security topics that relate to 
general LAN/network components. Remember, the thesis is restricted to existing 
guidance selected by USACDEC/DIM (guidance is listed in the following section of 
this chapter). 

Because AR 380-380 is currently the focal guidance for ADP security in the 
Army, it is used as the origin for all other guidance reviewed for this thesis. Thus, the 
basic security topics covered in all regulations referenced are similar to AR 380-380: 
physical, environmental, personnel, communications, telecommunications, terminal 
access, hardware, software, procedural, risk management, etc. Yet to better summarize 
the limited number of network security topics, the AR 380-380 topics are combined 
into. more’ general topic areas. These topic areas are _— sensitivity, 
physical/environmental, risk management, general communication (telecommunication, 
communications security, etc.), configuration (hardware, software, access), and 
general/miscellaneous ADP. Moreover, anything pertaining to a topic area is 
addressed in each of the four regulation categories mentioned above. 

Before continuing, telecommunications, protected distribution system (PDS), 
communications security (COMSEC), and an automated telecommunications system 
(ATS) are defined. Telecommunications is the transmission, emission, or reception of 
signs, signals, writing,-images, sounds, or other information over wire or broadcast 
medium to and from a distant location. A PDS, is an approved telecommunications 
system that permits safe transmission of unencrypted sensitive information by applving 
physical and electromagnetic safeguards. Note that the term “network” is not used 
[Ref. 13: p. 78]. Communications security is the protective measures exercised to deny 
unauthorized access to teleconimunications information related to U.S. Government 
national security. Security measures include crypto-security, transmission security, 
emission security, and physical security. Cryptography is the art or science concerning 
the methods, means, and principles for making plain text unintelligible and for 


converting encrypted messages into intelligible form. [Ref. 13: pp. 72,73] 
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An ATS is a computer based system composed of terminal and/or automated 
switching equipment, interconnecting facilities, and/or control equipment, used for the 
purpose of transmission and reception of signals in the form of sounds, images, 
graphics, and data, and their associated firmware or software programs. Note that an 
ATS seems to equate to a general definition of a network in terms of device-to-device 
communication transmission. More on this is addressed in Category 4 comments 
below yiner she noe 72] 


B. GUIDANCE SUMMARIES 
Guidance referenced for this thesis are listed below. A summary for each may be 
referenced in the Appendix. 


e SRC ins om 380-380: AUTOMATION SECURITY. Effective 8 


e ARMY REGULATION 380-5: Deptartment of the Army Information Security 
Program. Elfective lo RE Recs: 


e SG REGULATION 18-1: Army Automation Management. Effective 15 


e TECHNICAL BULLETIN TB. 18-100: Army Automation Life Cvcle 
Management. Effective 15 AUG 81. 


e ARMY PAMPHLET _18-4: Processing Installation Review/Evaluation 
Checklist. Ellective iors: 


e ARMY PAMPHLET 18-7; Automatic Data Processing Management Review 
Guide. Eitcctve Jj9pEe@ 


e ARMY REGULATION 530-2: Communications Security (COMSEC) 
Eiiective tS uaoc 


e ARMY REGULATION 18-7: Automatic Data Processing Management Review 
Program. Effective 30 NOV 84. 


e ARMY TECHNICAL BULLETIN TB .18-107: Army_Automation Automatic 
Data Processing Equipment Operations Management. “Effective 3 FEB 80. 


e ARMY a ee 380-53: Communications Security Monitoring. 
Effective 15 NOV 8 


e DEPARTMENT OF DEFENSE (DoD) MANUAL | DoD = 5220.22-M: 
ORR, SECT | Manual for Safeguarding Classified Information. Effective 


e DoD, DIRECTIVE 5215.1 (DoD Directive 5215.1), SUBJECT: Computer 
Security Evaluation Center. Dated 25 OCT 82. 


¢ DoD MANUAL 5200.28-M: ADP Security . Manual Techniques. and 
Procedures for Implementing, Deactivation, Testing, and Evaluating Secure 
Resource-Sharing ADP Systems. Dated JAN 73. 


¢ DoD COMPUTER SECURITY CENTER. CSC-STD-001-83: DoD Trusted 
Komputer ie Evaluation Criteria. Also known as the “ORANGE BOOK", 
ate 


e DoD DIRECTIVE 5200.28: Securit ae for Automatic Data 
Processing (ADP) Systems. Dated 18 AUG 72. 
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e NATIONAL COMPUTER SECURITY CENTER, PUBLICATION NCSC- 
WA-002-85: Personal Computer Security Considerations. Dated 1985. 

C. CATEGORY 1: GUIDANCE/REGULATIONS THAT APPLY TO LANS 

Since information/data sensitivity determines the security requirements for the 
ADP system that handles it, sensitivity requirements and modes of operation will be 
addressed first. To emphasize the limited number of direct references to networks, 
general network guidance references will be addressed next, then other general ADP 
topics that pertain to networks will be presented. Since there are so few direct 
references to “LANs” and “networks” in general, the rest of the thesis will use the two 
terms interchangeably. 

1. Sensitivity 

All guidance references stressed that sensitivity of data be based on an 
individual’s need-to-know the information in relation to performance of duty. The 
need-to-know must be a valid, approved need, based on the information contained in 
the system and the information’s potential damage to national security, if it was some 
how leaked or stolen. [Ref. 20: p. 10] Sensitivity designations are divided into broad 
categories with the flexibility for an accreditation authority to impose more restrictive 
designations. The accreditation authority is the official designated to accredit DPAs 
and ATSs for the processing, production, use, and storage of sensitive defense material 
iver £3: p. 71). 

Sensitivity applies to ATS, administrative, and normal ADP systems, therefore 
this thesis will assume it must apply to LANs as well [Ref. 13] Moreover, in terms of 
need-to-know, basic ADP sensitivity requirements are similar for contractor access of 
most types of classified information. In short, security requirements for components 
(transmission media, terminals, controlling devices, etc.) result from the assigned 
sensitivity level. | 

AR 380-380 sensitivity designations are divided into four levels just as the 
designations in the Department of Defense Trusted Computer System Evaluation 
Criteria (CSC-STD-001-83), also known as the “Orange Book”. The thesis will refer to 
it as the Orange Book from this point on. The sensitivity requirements in each 
document are similar, but labeled different. Reference the Appendix summary of the 
Orange Book for a label comparison. We will use the AR 380-380 designations listed 
below. [Refs. 13,21: pp. 6,5-51] 
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¢ CRITICALLY SENSHIVEtes) 

- Applies. to DPAs/ATSs that process classified defense information | or 
applications involving large dollar volume. assets, and resource accounting 
or authorization data greater than $25 million per year. 

- Levels in descending order of sensitivity. a) Level 1 (CSI). - sensitive 
compartmented information (SCI) or Single Integrated Operational Plan-- 
Extremelv Sensitive Information (SIOP-ESI). by) Level 2 (CS2) = er 
SECRET. c) Level 3 (€S3) - “SECRE1/CONF IDES TIAL. informationsen 
applications involving large dollar volume assets or resource accounting or 
authorization data (S25 million per, annum or higher).” Large dollar 
volume assets and resources refer to items that range from: weapons (like 
tanks) to large stock piles of supplies, for example millions of dollars worth 
of telephone poles stored 1n one [ocation. 

e¢ HIGHLY SENSITIVE (HS) applies to: 


- DPAs/‘ATSs not included in “CS” above, that process FOR OFFICIAL 
USE ONLY (FOUQ) information. 


- Information covered by The Privacy Act of 1974. 


- “Asset or resource accounting of authorization data of dollar value greater 
than $1,000,000. 


- oy unclassified data the accreditation authority wants to classify at this 
evel: 


¢ “SENSITIVE. 
- Applies to information not covered by “CS” or “HS”: a) DPAs/ATSs that 
process information relating to asset or resource, plop a or 
contractual information’. b) Any data the accreditation authority wants to 
Classify at this level. 


- “Includes data vulnerable to fraud, theft, misuse, misrepresentation, or 
interception. 


¢ NONSENSITIVE. 
- An analysis has indicated that a higher classification is not required. 


- Analysis must be approved by the installation system security manager 


- Analvsis must be Kept on file and reviewed. 

Sometimes a higher classification may be assigned to combinations of 
information which warrant higher classification than that of the single parts of 
information. This is known as “compilation”. This includes combinations of certain 
types of data/information (defense plans, technical information, etc.), and large dollar 
volume asset or resource accounting amounts. [Ref. 20: p. 11] 

2. ADP Security Operation Modes 

Possible operation modes for the above sensitivity levels require certain non- 
waiveable features (passwords, audit trails, etc.) [Ref. 13: p. 8] The operation modes 
that apply to all types of systems (ADP, ATS, etc.) are listed below. [Ref. 13] 


* SMULTILEVEL SECURITY MODE. 
- A trusted system of operating system software, hardware, and firmware. 


- Restrictions. a) Need written approval of ACSI to use multilevel. b) If 
intend to secure accreditation, must notify ACSI prior to milestone 0. 


- All CS1 or CS2 systems need the specific written approval of the ACSI. 
- This mode does not apply to CS3 and lower sensitivity systems. 
e CONTROLLED SECURITY MODE. 
- Characteristics [Ref: 13: PP. 7-8]. a) Untrusted operating svstem software. 
System secure for highest information security level. c) Swstem accesses 
no more than two security clearance levels below the highest level of 
information on the svstem. d) Each terminal area can be sécured for the 
highest level of information processed through the terminal located in that 
aréa, 1.e. semi-multilevel because different terminal areas may have different 
access levels. 
- Controlled security mode requirements apply from host to all remote 
locations. Again regulation is in terms of general ADP networks, not 
LAQNs. (Ref, 13: p.42!| 
e SYSTEM HIGH MODE. 
- “The central computer system and all of its connected peripheral devices 
and remote terminals are protected according to the highest classification of 
material in the svstem. 


- All personnel accessing the system have a security clearance, but not a 
need-to-know all material in the svstem. 


mee OE VICATEDTSECLRITY MODE [Ref. 13: p. 8]. 
- When a computer system (terminals, peripherals, etc.) is classified for a 
certain tvpe/categorv of information, and all users have the same security 
clearance and the need-to-know. ; 


- Required for all systems unless one of the above modes is approved by the 
accreditation authority. 


meee RIODS PROCESSING [Ref. 13: pp. 8,46] 
- “Included in the Dedicated Security Mode when the entire svstem is used 
for a specific period of time for a category, type, or classification of 
information. 


- People must have the appropriate security level for the time(s) they access 
the system. 


- Can be used for certain pes of information on systems accredited tn the 
systems high and controlled security modes. 


3. General Network References 

a. General Direct References 
Even though there are few references to “networks” in AR 380-380, it 
defines “networks” as one of several operational service modes, and the most vulnerable 
[Ref. 13: p. 7]. At best, AR 380-380 mentions network specific positions: network 


manager, network security officer, and a terminal area security officer (TASO) for 
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remote terminals which are network related. Moreover, one manual addresses all 
aspects of ADP (remote devices, telecommunications, etc.), but does not mention 
“network” except in ADP and communications networks interfaces. It states that 
security measures must meet telecommunications network requirements and be cost 
effective. [Ref. 22] 

Furthermore, the only direct literal reference in one Army regulation 1s to 
the Defense Data Network [Ref. 23]. Other guidance referenced contained some 
“network” checklists [Ref. 24], and noted that they are only a “checklist” [Ref. 25]. 
Another directive pointed out that the Computer Security Evaluation Center (CSEC) 
purpose includes evaluation of “network security.” This indicates that government 
regulators are concerned with network security and not just security of specific ADP 
component categories, but still networks are not addressed as an entity in great detail 
{[Ref. 26]. The guidance documents referenced for this thesis should at least reference 
some form of LAN/network guidance, or at least identify important LAN/network 
topics within. 

b. General Indirect References 

As mentioned earlier, most of the guidance addresses general ADP svstem 
components that are often part of networks, as well as stand. alone computer svstems. 
By addressing these ADP parts, or components, overall network security considerations 
can be obtained. As a result, the network accreditation authority must ensure that the 
network component security requirements produce a synergistic effect that yields the 
desired level of system security for the network. This idea applies to direct and indirect 
guidance requirements identified throughout this thesis. 

4. Risk Management 
Risk management is defined by AR 380-380 as “an element of managerial 
Science concerned with the identification, measurement, control, and minimization of 
uncertain events.” Procedures are not standardized because every system is unique. 
There are four phases [Ref. 13: pp. 29,77] 
e Risk assessment derived from an evaluation of vulnerabilities and threats. 
e Management decision. 
e¢ Control implementation. 
e Effectiveness review. 
Vulnerabilities and penetration are addressed by this thesis in general ADP 
terms. [Ref. 13: pp. 67-69] 
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Again, as mentioned in Chapter I, a risk management analysis 1s assumed to 
be complete for the generic LAN presented in Chapter II. A risk management analysis 
is an important, but lengthy process in terms of this thesis. It should be conducted in 
a real-world implementation because it is intended to assist with the network sensitivity 
designation. In order to limit the scope of the thesis, it is assumed that a adequate risk 
management analysis was conducted that identified all vulnerabilities (this is an ideal 
situation). 

5. Configuration Control 

Configuration control regulations and guidance are presented in access, 
hardware, and software topic categories. Again, material presented here is a general 
summary of ADP components and processes that apply to network components. 

a. Configuration access control 

Access security for an ADP system 1s concerned with control of procedures, 
information, access to terminals/devices, and resource sharing. AR 380-380 and other 
guidance is based on a need-to-know with “access” only to the hardware devices and 
software needed to accomplish an assigned task. The general idea of security access 
control procedures is to minimize vulnerability during authorized and unauthorized 
Start up and shut downs, provide mandatory control of ATS jobs on all new Army 
systems, and provide transaction logs for accountability. [Ref. 13: pp. 24-25] 

In general, actual information access control to data files is based on 


mandatory access control and discretionary access control. Mandatory access control 1s 


a means of restricting access to objects based on the sensitivity (as represented bv 
a label) of the information contained in the objects and the formal authorization 
(1.e., clearance) of subjects to access information of such sensitivity. 


Discretionary access control is 


a means of restricting access to_ objects based onthe identify of subjects and/or 
groups to. which they belong. The controls are discretionary in the sense that a 
Subject with. a certain access permission is capable of passing that permission 
(perhaps indirectly) on to any other subject. [Ref. 21: pp. 110,111] 


By consequence, pure data control requires an auditable record of data as that data 1s 


processed through the system. In fact, this is one of the few places where “network” is 
mentioned literally. [Ref. 27: p. 2-1] 
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Before an ADP system, terminal or device, or a network can access or 
interface to a specific ADP network, the ADP system, device, etc., must meet approval 
of the DoD component, and the agency operating the net. Normally, the agency and 
component have responsibility for security of a network [Ref. 22: p. 20]. In addition, 
sharing of ADP resources between agencies needs approval. The guidance addresses 
resource sharing in an ADP context, but can be easily applied to networks. For 
instance, an administrative LAN typically requires sharing of peripherals for word 
processing, data base, and other applications. [Ref. 27: p. 7-1] 

b. Hardware and Software 

Most hardware configuration control guidance is in terms of a single ADP 
configuration with a central mainframe site. Life cycle security planning is required 
from beginning to end and applies to networks, nodes, and terminals as well as general 
ADP systems: [Ref. 13: p. 10]. 

Acquisition of entire ADP systems or components is a function of mission 
need. To streamline acquisition and give it flexibility, AR 18-1 encourages low level 
decision making (to “practical levels”), and stresses ADP decentralized management 
concepts. If the reader is currently involved, or about to begin, some sort of ADP 
network security planning or implementation, he/she may find that general integration 
and streamlining of regulatory ADP network guidance may also be a desired tool for 
system acquisition. This thesis could be used as a primer for such a project. 
Decentralized management seems to be a good environment for LANs because of their 
distributed yet inherently unsecure nature. In addition, AR 18-1 states that Army 
ADP management principles must comply with federal laws and regulations. 
[Ref. 28: pp. 1-1,1-2,2-1] 

In terms of network hardware and software components, some guidance 
(such as AR 380-380 and Army Pamphlet 18-7) provide checklists. Checklists include 
configuration optimization, communication, emanation, and remote access security. 
Checklists in Army Pamphlet 18-7 must be completed on an annual basis, when there 
are equipment upgrades, or major agency reorganization. [Refs. 13,24] 

Another point of interest is that personal computers (PCs) must be 
accredited with a specific ADP system if the PC will interconnect, or be collocated, 
with that system more than 50 percent of the time. The same security requirements (in 
relation to need-to-know, etc.) that apply to the ADP system apply to the PC(s). In 


addition, a privately owned PC can only be used in a stand alone configuration, but 
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must comply with all provisions of AR 380-380 and other guidance. Information 
processed becomes the property of the agency in which it is used. [Ref. 13: pp. 9-10] 

It is required that “software-based protective controls complement and 
support hardware protective features of computer circuitry.” General purpose software 
categories (executive, utility, tools for development of applications software, and 
applications software) all require adequate software security controls. Again, security 
requirements must be appropriate for the sensitivity level of the system. Guidance on 
operating systems is addressed in Chapter IV. [Ref. 13: pp. 20-22] 

6. Physical/Environmental Considerations 

Physical and environmental guidance requires physical facility access controls 
that meet security and protection standards appropriate for the sensitivity levels of 
information handled by any ADP system. This includes ADP administrative and 
network systems. Even though personnel security is not addressed directly in this 
thesis, it does play a major role in all aspects of ADP security. One point stressed by 
AR 380-380, and other guidance, is that protection of remote terminals/sites requires 
they be staffed with people cleared for the highest security classification level cleared 
for that particular site. For example, this is a requirement of the controlled security 
mode. [Ref. 13: pp. 21,45] 

7. General Communications 

ADP-to-ADP equipment . communication links can _ be _ intersystem, 
Internetwork, and intranetwork. With so many possible device-to-device interfaces, 
standardization of ADP component connections is a major Army ADP management 
goal. Naturally with or without standardization, connection of ADP systems or 
networks require awareness of security requirements of the other system and agency. 
peers. 13,28,29] 

Army COMSEC policy requires that all record telecommunications will be 
secured by either PDSs or encryption in approved cryptographic systems. In addition, 
guidance indicates that PDSs have physical and electromagnetic safeguards approved 
on a case-by-case basis. The PDS must be approved for a certain sensitivity level and 
mode of operation [Refs. 13,29: pp. 76,10]. Moreover, all circuits that interconnect 
remotely located components of Army automation systems or networks must be 
provided COMSEC protection under the provision of AR 530-2. COMSEC can be 
achieved by proper implementation of: 

e National Security Agency (NSA) produced cryptographic systems. 
e An approved Protected Distribution System (PDS). 
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e ipRipved commercial communications protection equipment. [Ref. 13: pp. 


In contrast to encryption and other requirements, guidance recognizes that 
enemy technical developments could render current encryption processes and 
components useless. Thus, continuous evaluation of communication links for 
encryption and system emanation vulnerabilities, and emergency procedures, should be 
part of system operations wherever remote ADP components exist. [Ref. 29: pp. 2-3] 
Vulnerability and hearability (emanation detection) surveys may be requested for ADP 
systems to test susceptibility of communication signals to monitoring. These tests 
determine the degree of security of system cryptography. Cryptography applies to 
TOP SECRET, SECRET and CONFIDENTIAL system processing. [Ref. 30: pp. 4-5] 


D. ee 2; GUIDANCE/REGULATIONS THAT DO NOT APPLY TO 


Given the fact that there are few direct literal references to network security in 
the guidance referenced, the topics covered in this category will address general 
network related ADP guidance topics in terms of sensitivity, communications, and 
configuration control. Moreover, each of these areas will be separated into waivers 
and exceptions. An exception is a case to which a rule does not apply. A waiver 1s 
“the act of intentionally relinquishing or abandoning a known right, claim, or 
privilege.” Additionally, this thesis will assume a waiver is equal to a “temporary 
exception.” [Ref. 31: pp. 432,1325] 

1. Sensitivity 

Sensitivity waivers deal mainly with time limits and/or extensions. 
a. Waviers 
In reference to security operating modes general ADP guidance (like AR 
380-380) recognizes the need for temporary exceptions with intent to obtain full 


security compliance. Moreover, 


se oue exceptions may be authorized by the. . . Designated Approving 
Authority. . .. for specific security measures which they have determined would 
impair operation and mission effectiveness, provided they assure that continuous 
progress 1s made toward the ultimate full compliance with the Directive at the 
earliest practicable time. 


Also, the approving authority should not delegate authorization authority. 
(Reis sls32) 0p sono! 
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b. Exceptions 
In AR 380-380 the MACOM-commander or heads-of-Army-elements may 
direct higher sensitivity levels. Conversly, for CS2 systems: “the accrediting authority 
may designate the DPA at one level of sensitivity lower than that prescribed... if all 
the following conditions exist”. 


e “The volume of information in the higher level of sensitivity requires less than 5 
percent of total processing (wall clock) time: 


e Higher level sensitivity information 1s Pare ooce in the local operational service 
mode (AR_ 380-380 paragraph 1-11b(1)) and Dedicated Security Mode 
(paragraph I-13d). 


e “Additional security and protective, measures are taken to safeguard the 
information of the higher level of sensitivity. 


e “All personnel have the security clearances for the highest level of classified 
information to which they may be exposed. (AR 380-5 applies).” [Ref. 13: p. 6] 


The higher the sensitivity level, the higher the approval authority required 
to approve an exception. For instance, in the multilevel security mode, exceptions are 
“prohibited for all CS1 or CS2 systems without the specific written approval of the 
ACSI"; and but this is not applicable to CS3 and lower sensitivity systems. 
[Ref. 13: pp. 7-8] 

In general, exceptions must be reviewed biennially and specific securitv 
requirements may have to be interpreted when applying security level criteria. 
Wives, 21,32: pp. v,>| 

2. General Communications 
Exceptions to transmission requirements must offer the same degree of 
protection as approved components, processes and procedures. If less protection is 
provided it may be possible to go to the next higher approval level. Exceptions will 
depend on characteristics unique to the svstem, which mav include the sensitivity of the 
information, the characteristics of approved ADP equipment, the characteristics of 
substituted equipment, the results of a risk analysis, and the organizations involved. In 
addition, exceptions for ADP systems becoming part of a network must be addressed 
before actual connection. [Refs. 13,32,20] 
3. Configuration Control 
a. Waivers 

General ADP security waivers are listed below [Ref. 13: p. 9]. 

e “Accreditation authorities may grant waivers or exceptions to existing svstems 
when compliance, with_ this regulation is not technically, economically or 


operationallv feasible. However, all changes, updates, and procurements will 
have as an objective elimination of waivers or exceptions. 
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e The condition or situation for which the waiver or exception is requested will 
be described and the justification given in order for the request to be evaluated. 


e “Waivers or exceptions will.be limited to a specific period of time, not, to exceed 
1 year. Exceptions or waivers will, not be renewed_or extended without the 
written approval of the accreditation authority, This extension will. detail 
specific actions taken to correct the situation or Circumstances necessitating the 
extension. 


e “Waivers will be included) in the Executive Summary ee Of Sth 
accreditation documentation.” Reference Appendix I in AR 380-380. 


b. Exceptions 
Discretion should be used in applving security provisions to automated 
administrative systems because not all of the guidance requirements are applicable to 
them. However, “the provisions of Chapter.5 (of AR 380-380) are applicable to all 


systems processing classified information.” [Ref. 13: pp. 2-10] 


Ek. CATEGORY 3: OUTDATED REGULATIONS AND GUIDANCE 

Guidance addressed by this thesis is the most current available at the time of 
writing. Guidance topics addressed in this category are not considered “outdated” in 
the literal sense because usually the most recently dated regulation, directive, etc., is in 
force until a revised version is produced. Certain aspects of the guidance referenced 
give the impression that some requirements are outdated or perhaps “old fashioned” in 
the world of developing ADP technology. For instance, administrative (word 
processing, etc.) and general ADP configurations seem to be addressed in terms of the 
old mainframe type of configuration, which does apply in a true ADP mainframe 
environment, but ignores a distributed network environment [Ref. 13: pp. 9-10]. From 
all information, AR 380-380 seems to give the impression that a central site always 
exists aS a “main” site. With the above points in mind, and, as pointed out earlier. the 
fact that networks are not specifically addressed in great detail as an entity, topics in 
this category are subjective. [Ref. 13] 

Some of the guidance referenced recognizes that it’s objectives could adversely 
affect use of rapidly changing technology. In fact, guidance as early as 1973 (DoD 
Manual 5200.28-M) states “this technology is dynamic and the methods chosen to 
secure a particular system must accommodate new developments without degrading the 
level of protection.” The same manual notes that new technology or security 
substitutes must be cost effective, production effective, and meet basic security levels. 
((Rere223 2) 
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Points of interest in this category relate to physical/environmental and 
configuration control topics. 
1. Physical/ Environmental 
In reference to the above points, much more attention is directed toward the 
“central site” verses a true distributed network. For example, the construction of a 
“central” computer complex and the “mainframe” computer room is addressed. This 
definitely applies to mainframes, which still exist and will for many years to come. In 
terms of networks and recent increases in desktop capacity and capability, moore 
specific guidance should be developed and integrated into, or added to, current 
guidance [Ref. 13: pp. 12-16]. Thus, guidance in this area still applies to mainframe 
configurations, but is not totally complete in terms of networks and PCs. 
2. Configuration Control 
a. Software considerations 
There are references to configurations that involve over the counter batch 
applications (very common in the 1960's). References also address media handling 
requirements that still include requirements for punch card decks. Is the operational 
age range of Army equipment so vast that modern punch card applications still exist in 
significant numbers? Or, has the acquisition process slowed replacement of such 
systems? Whatever the reason, a general indication 1s that “new” technology strategies 
and applications need to be added to Army guidance. [Refs. 13,20] 
b. Stand-Alone PC Duplication 
AR 380-380 states that stand alone systems should not duplicate standard 
Army systems. Again, AR 380-380 seems to ignore distributed processing and desktop 
capacity. There may be (or are) standard Army systems that could be transferred to 
desktop computers to provide emergency processing, backup processing, increased 
Capacity or production, or any other unique innovated tests or processing that can be 
devised to improve productivity. [Ref. 28: p. 2-2] 
c. Summary 
Some areas of the guidance appear to be outdated in terms of today’s 
desktop and distributed processing capability. Also, there is a mainframe flavor in the 
guidance and even reference to punch card requirements. In essence, the guidance 
covered in this section is outdated because it does not address considerations for 


distributed computing protection and security of PCs. 
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F. CATEGORY 4: LAN AREAS AND TOPICS NOT COVERED BY 
GUIDANCE 


1. Overview 

Again, the majority of the security guidance mentions network related 
components, not network specific topics. Thus, much 1s left to interpretation in terms 
of LAN/network security in areas not covered by the guidance. 

2. ATSs vs. ADP Networks (i.e. LANs) 

Chapter 11 in AR 380-380 is devoted to ATSs. Above, it was assumed that 
an ATS 1s very much like a network. The regulation implies that a network consists of 
two or more automated systems [Ref. 13: p. 5], but hardly mention ADP networks as 
an entitv. Is it a question of semantics? Given there are network check lists 
(mentioned above) and other limited references to networks, it is assumed that an ATS 
is at best a hybrid ADP network or an ADP network is a hybrid ATS. As mentioned 
at the beginning of the chapter, an ATS closely parallels the definition of a general 
purpose network. In today’s rapidly changing technical environment 1s it safe to 
assume an ATS has the exact same needs as an ADP network? If so, whyv is it not at 
least stated that a network equates to an ATS? Again, an ADP network is not 
addressed literally and topically as an entity. 

3. Configuration Components 

Again, nothing specific is mentioned about network component combinations. 

Only general ADP components are addressed. 
4. Software 

The only thing mentioned in specific network terms is that the network 
security officer (NSO) is to ensure that protocols are developed for networks. Specific 
network protocol guidance is not referenced. The software categories identified are 
general purpose; executive; utility; and software tools for development of applications 
software. Protocols would probably fall under the utility program category. A utility 
is “a program provided by a computer center or vendor to perform a task that 1s 
required by many of the programs using the system.” Because “utilities” is a general 
category, a protocol could be thought of as a communication or interface utility. 
[Ref. 13: pp. 20-22,389] 

5. Network Audit Procedures 
Again networks are not specifically mentioned in AR 380-380, but it does 


specify mandatory audit trails for all new teleprocessing systems. [Ref. 13: p. 24] 
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6. Peripherals vs. System Approach 
a. Accreditation 
A device must be accredited with a system if it is connected to the ADP 
system more than 50 percent of the time [Ref. 13: p. 9]. Network configurations can 
have many personal computers that do not need to access the network 50 percent of 
the time. With current desktop capability, a desk top could make it’s presence noticed 
in terms of network capacity and throughput. In addition, a hacker/spv could do real 
damage to a network with a PC. Is this impact of PCs really addressed? Not directly 
in terms of the guidance referenced for this thesis. This is another area that could be 
updated and made more network specific. 
b. PC security 
Issues related to networks are penetration and access. “Personal Coniputer 
Security Considerations’ NCSC-WA-002-85, published by the National Computer 
Security Center, covers PC security issues, an area not thoroughly mentioned in terms 
of todays network technology in the guidance addressed in this thesis. This document 
is NOT government policy, but an information memorandum. It addresses PC 
penetration, communication access, and transmission to networks, and other general 


information. [Ref. 33] 


G. THE NEXT STEP 

This chapter indicated that even recent ADP security guidance (1986) does not 
mention LANs, but must be used to shape LAN security features. Given the preceding 
Overview of security guidance, the next step is to take a closer look at security guidance 


for the system hardware, software, and transmission components found in a LAN. 
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A. PART 1: OVERVIEW 

As indicated in the previous chapter, a “need-to-know” is the driving force behind 
sensitivity levels and the ultimate classification of any ADP system, including LANs. 
Guidance indicates that the need-to-know in the pure sense 1s a major consideration for 
determining a sensitivity level. Whether the need-to-know is really the driving factor in 
every network now, or in the future, or how it is determined, is not within the scope of 
this thesis. However, a sensitivity level must be assigned, thus we will assume a valid 
need-to-know can be determined, and look further at sensitivity considerations. 

Chapter III looked at guidance areas that applied and did not applv to LANs. 
In contrast, Chapter IV looks at the same guidance in terms of how it applies to 
various LAN components, and the LAN configuration as a whole. From all 
information, the accreditation authority will have the ultimate approval, and at least 
share responsibility, in terms of what actually applies because each system is unique. 
Chapter V addresses accreditation. 

This chapter is divided into four parts. The overview (Part 1) explains 
component categories and a basic regulation planning strategy. Part 2 presents general 
guidance requirements for networks derived from the ADP and telecommunication 
guidance referenced for this thesis. Part 3 and 4 review general network requirements 
pertaining to multilevel and system high (respectively) security modes. Note that all 
material in this chapter is based on the regulations covered in Chapter 3. 

1. Chapter [V Component Categories 

Chapter II is structured around functional network categories like topology, 
protocols, internetworking, etc. For better identification of component topics, LAN 
coniponents in this chapter are listed in terms of general ADP topics presented in the 
guidance. The major categories are general system considerations, ADP hardware, 
transmission hardware, and software. The categories and components are listed below. 

e SYSTEM/MISCELLANEOUS CONSIDERATIONS 
- Configuration 
- Sensitivity 
- Mode 
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- Procedures 

HARDWARE - Computers 

- Mainframes 

- Minicomputers 

- Microcomputers 
HARDWARE - Interface 

- Controler Devices 

- Switches (CBX/PBX) 

- Protocols (hardware aspects) 
- Bridges 

- Gateways 

- Modems 

- Multiplexers 

HARDWARE - Terminal devices 
- Smart terminals 

- Computer terminals 

- Microcomputers 

- PCs 

- Printers 

- Electronic Storage (disk, tape, etc.) 
TRANSMISSION MEDIA 

- Twisted pair 

- Coaxial 

- Fiber optic 

SOFTWARE 

- Application 

- Interface (Protocols like Ethernet) 


- Operating system (general functions) 


2. A Strategy for Applying General ADP Guidance to a Network 


Strategy is defined as a “careful plan or method.” 


Understandably, system designers and accreditation authorities must be careful in the 
way each unique system is analyzed with regard to guidance requirements, because 
security guidance is not and cannot be hardware and configuration specific. Thus, 


given an application and configuration, the strategy listed below is also in general 
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1) Determine sensitivity range of information. 
2) Identify tentative operation mode alternatives. 


3) Place components. in appropriate category; includes identification of 
performance capabilities. 


4) Identify general system level requirements relating to categories. ; 
5) Identify general component requirements relating to categories. 


6) Identify ps mode requirements for each mode selected (multilevel, 
system high, dedicated, etc.) 


7)  Re-evaluate operation mode alternatives and select; based on _ each 
organization’s unique requirements. 


This chapter covers steps four, five, and six. Steps one, two, three, and seven 
are user, Organization, and vendor/system specific and must be performed by the 
organization planning to implement the LAN. In reality, step three would be done in 
terms of specific components with consideration of associated specifications. The 
component guidance categories above would be used to isolate guidance that pertains 
to each particular component and system level consideration. Steps four, five, and six 
are illustrated in this chapter in a general way to point out guidance areas important to 
LAN security. Only two modes are chosen for brevity. 

B. PART 2: GENERAL LAN - GUIDANCE REQUIREMENTS FOR NET 
WORK COMPONENTS 
1. System/Miscellaneous 

a. Configuration (Includes Topology) 

LAN system configuration requirements are concerned with design, 
Operation (coordination and control), facility, and hardware considerations. Guidance 
addressed by this thesis does not address LAN security in great detail. Various 
telecommunications, ADP, and ATS components are all used to establish LANs. 
These component requirements are addressed in enough detail to be applied to the 
ADP and transmission hardware used in LAN configurations. Guidance for LAN 
svstem level requirements can also be derived, just as ADP and telecommunications 
guidance can be derived and applied to LAN components. 

The derivation idea in the above paragraph can be seen in the regulations 
themselves. For instance, ATSs and administrative systems are the only unique 
systems addressed in contrast to miscellaneous network comments. Configuration 
areas not covered under ATS guidance, are subject to general ADP requirements. In 


addition, administrative systems are not affected by security guidance unless they 
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handle sensitive information or communicate with other computers. Thus any LAN is 
subject to ATS and general ADP requirements, even if it is purely an administrative 
system, because LANs consist of ADP components and always include 
telecommunications. [Ref. 13: pp. 9,31] 
Keep in mind that the “system”, or total configuration, must be approved. 
It is the responsibility of the organization commander or manager to see that AR 
380-380 is applied [Ref. 13: p. 12]. The temporary exceptions and waivers addressed in 
Chapter III should be addressed as early as possible. The approval process, referred to 
as accreditation, will be addressed in Chapter V. 
(1) Design. System security features should be incorporated into any 
LAN configuration from the very beginning. Minimum ADP system security 
requirement features that should be part of a LAN design include: 
e Individual accountability - who is accessing and what thev are doing 
e Environmental control - physical protection of hardware. 
e System stability - all components protected to provide steady operation. 
e Data integrity - accurate and timely data. 


e Svstem reliability - minimize down time caused by security breaches and 
identify‘prevent unauthorized penetration. 


e Secure communication links - identify/prevent unauthorized penetration. 
These features should also be applied to future upgrades and/or expansion. 
Standardization should be incorporated where possible with the ultimate goal of 
interoperability. Performance measures must allow for security needs because overall 
system performance may be affected by security software or hardware. Some examples 
involving encryption and shielding are presented later. [Refs. 13,32,34] 

If system security features are to be included early in the design 
process, they should be followed throughout the system life cycle. For instance, any 
communication need should include security requirements whenever there is some sort 
of change or upgrade because new equipment could impact the total security of the 
current “system”. For example, the use of fiber optic cable media could reduce the 
need for encrvption. Thus, all applicable security requirements should be followed for 
all components of the system. [Refs. 13,17,28] 

Emanation is the radiation of signals from a transmission cable media, 
hence it is another major system: security design area to cause concern. Generally, the 


guidance sources indicate that some form of encryption is desired for sensitivity levels 


a 


Starting at CONFIDENTIAL and above. [Ref. 20: pp. 36-37] Encryption is the 
transformation of information into a unidentifiable code. In order to conform to 
compromising emanations control policies, the overall network system design will 
include link encrpytion or end-to-end encryption, and manual procedures for 
encryption key control. Either form of encryption will require extra hardware for key 
generation and encoding at the node interface to the network. Manual procedures 
must be used to control storage, issue, and control of encryption key information. All 
key information and handling procedures, encryption hardware and facilities, and 
software and associated storage facilities, must be protected at least at the highest 
security level for the system. Additionally, investigations and studies of compromising 
these emanations 1s given the unclassified name of “TEMPEST” [Ref. 13: pp. 5,78]. 

All transmission media and interface hardware will achieve security via 
one of the COMSEC methods; National Security Agency (NSA) produced 
Cryptographic system, protected distribution svstem (PDS), or commercial 
communications protection (for unclassified national security information). A PDS is 
an approved telecommunications system that has the required physical and electronic 
safeguards for safe transmission of unencrypted sensitive information [Ref. 13: p. 76] 
These methods are to be used for all transmission hardware interfaces and are 
addressed in more detail under the transmission hardware section of this chapter. 
([Retwiseap. 13] 

System planning should not isolate physical and environmental security 
considerations from other system security considerations. Topics like sturdy building 
construction, adequate electrical power, well constructed cable media supports, and 
proper routing and shielding of cable must be considered. The goal is to protect the 
svstem from unauthorized access and physical damage. [Refs. 13,23] 

Finally, future system improvements must be state-of-the-art, not 
duplicative, and cost effective, as well as approved by the accreditation authority. To 
accomplish this, the design should be modular to the extent that additional connections 
are possible for extra security hardware and software features that may be required. 
Security upgrades and/or additions of existing security features should not degrade 
overall system performance. [Ref. 13: p. 9] 

(2) Operations - Coordination and Control. System interoperational 
security considerations concern intra-system as well as inter-system activities. LAN 


configuration control must be rigid, well established and enforced. In addition, a 
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comparison between the baseline configuration and a proposed modification must be 
made before any system component is modified. The comparison must include a 
system security evaluation that includes audits of hardware, software, and firmware, 
and risk assessment. Also, auditors should be involved in all phases of the design 
process to assure that audit trails are properly designed and integrated into the 
network. [Ref. 13: p. 32] 

Security coordination within a LAN should be between the ADP 
network security officer (ADPSSO), terminal area security officer (TASO), network 
security officer (NSO), and the network manager. In contrast to standard mainframe 
terminals, the TASO may not only be responsible for “terminals” at his/her remote 
location, but gateway hardware, mircocomputers, or network control hardware 
(switches, controllers, etc.). In terms of a network, the ADPSSO would be responsible 
for security of one or more computers at a particular site. Yet he/she would be 
subordinate to the NSO because their site is a remote user of the network just as a 
terminal is a remote user. Therefore, a NSO may manage many TASOs and 
ADPSSOs. ADPSSOs may have their own TASOs for their local equipment. Also, 
security at the internet level could be handled by the network manager or NSO. 
{Ref. 13: pp. 4-5] 

Special attention should be paid to requirements of organizations that 
maintain telecommunications networks, especially to the transmission interface 
gateways. This includes requirements for data link interfaces, message link interfaces, 
and encryption requirements. Data link security is in terms of pure bit stream 
transmission. Message link security deals with actual encryption of the message 
famidied by the protocol. [Refs. 35,23: p. 7] 

Network configurations are the most vulnerable ADP operation mode 
because of their on-line, interactive, and distributed nature [Ref. 13: p. 7]. Thus, 
continuous safeguards are a must. In essence, networks are systems composed of ADP 
hardware components, software components, and transmission media components 
working together. Similarly software security, hardware security, procedural security, 
physical and environmental security, and communications security must work together 
to provide efficient network “system” security. 

In terms of system operations security, the NSO must compile a 
security profile that describes equipment components, equipment locations and 


relationships, the physical structure, and general operating environment of the 
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automated system. This is especially important in a PDS without encryption, because 
physical protection and electronic shielding could be penetrated at almost any physical 
point of the network. [Refs. 13,23: pp. 76,6] 

(3) Facilities. General environmental protection must include cost 
effective detection, protection systems, and emergency measures to provide disaster 
(fire, flood, etc.) protection. The goal is to minimize system and information 
vulnerability that would result from a disaster. Thus, network facilities must be 
properly designed and constructed. [Ref. 13: pp. 10-12] 

In stand-alone ADP networks the central facility is usually the 
room/building that contains the computer. In a network it is any location that 
contains the network control components. Given a network can have distributed 
control, all network facilities housing network control components and gateways 
should be protected according to ADP “central facilitv’ requirements. The central 
facility must always equal the requirements for the highest approved system security 
classification, especially if it is a contractor operated system or a system under 
contractor development and implementation. [Ref. 36: pp. 177-178] 

(4) Hardware. Hardware security requirements for ADP equipment applv 
to all LAN ADP hardware and LAWN interface devices; controllers, gateways, and 
computers controlling protocols. These requirements must be considered in all future 
Army systems. Hardware features required in terms of the “system” configuration are 
internal isolation of users, user port and/or channel identification, internal protection 
mechanisms for memory and storage, and error detection. External security features 
include facility security and physical locking devices such as insertion of Keys or 
magnetically encoded cards. [Ref. 13: pp. 19-20] 

b. Sensitivity - Levels and Applicability 

System sensitivity must be determined before a secure operating mode can 
be designated. In addition, a risk management program must implement procedures to 
identify weaknesses so effective counter measures can be devised. 

(1) Sensitivity determination. In sum, requirements identified in Chapter 
III (of the thesis) indicate that sensitivity is determined by the importance of the 
information processed to the overall Army mission, a need-to-know, and unique system 
features or applications that warrant protection. 

Sensitive data includes personal data protected by the Privacy Act of 


1974. In short, personal data of all personnel maintained on any ADP system is 
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considered “highly sensitive” information in terms of the sensitivity categories 
preseented in Chapter III. [Ref. 13: p. 6] 

In addition to Privacy Act data processing, sensitivity is determined by 
the user, dollar value, and/or value in terms of national interest or defense. A need-to- 
know applies to all aspects of the system configuration. Also, a system Accreditation 
Authority can impose more rigid sensitivity levels for reasons unique to a particular 
system. [Ref. 13: pp. 6-7] 

Sensitivity requirements identified in Chapter III also indicated that 
“compilation” of unclassifed items may require a higher classification. This requires 
system unique analysis to determine if in fact a sensitive compilation of information 
exists. Because of network distributed processing and access, compilation is always a 
consideration in a network. Given the system analysis, the original classification 
approval authoritv makes the final classification determination, but special approval 1s 
required for compartmented data. [Refs. 20,32] 

As mentioned earlier, physical requirements are based on the security 
Operating mode, which in turn is determined by the sensitivity level. Hence, things like 
the physical facility security profile (FSP) should be based on the amounts and types of 
sensitive processing. [Ref. 13: pp. 12,40] 

Security requirements apply to all systems handling classified 
information. Certain (usually older) administrative systems may not be subject to ADP 
security requirements. Stand alone administrative systems that do not process 
classified information do not have to be accredited. However, given teleprocessing 
requirements, ADP requirements, sensitivity considerations, and Privacy Act 
requirements, a LAN supporting administrative processing would probably have to be 
accredited [Ref. 13: pp. 9-12,18]. Moreover, cryptographic capabilities apply to any 
system with a confidential or higher classification. [Ref. 20: p. 36] 

(2) Designation. Once sensitivity levels are set, detailed requirements for 
each system component can be identified. Also, all ADP operation and facility 
designations must be assigned. Nonsensitive systems are the only systems that don't 
require accreditation [Ref. 13: pp. 5-7]. Sensitivity level designations affect all aspects 
of the configuration, not only the physical aspects mentioned above, but also the 
control of system data [Ref 32: pp. 3-8]. For example, there are different 
communications security requirements for different sensitivity levels that apply to the 
control of information transmissions [Ref. 20: p. 6]. Designation considerations 


include: 
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e The type and sensitivity of information handled by each component. 
e Who will access information at each network location. 

e Physical location of network components. 

¢ Who has offical control of specific data bases. 

(3) Risk Management. A formal risk management program must be 
established for each automated system handling sensitive defense information 
[Ref. 13: p. 5]. Risk management is intended to provide a means to identify, measure, 
control, and minimize weaknesses in the entire system configuration. The general 
objective is to prevent unauthorized system access and use. A specialized risk analysis 
Should be conducted (by experts if possible) to determine vulnerabilities. The 
expenditure of resources to determine the most cost effective safeguards should be 
supported. [Ref. 13: p. 29] 

c. Security Processing Modes 

Security processing modes were discussed in Chapter III. They are the 
multilevel security mode, controlled security mode, system high security mode, 
dedicated security mode, and periods processing [Ref. 13: pp. 7-8]. Only system high 
and multilevel modes are presented (later) in this chapter to identify basic 
considerations. A detailed analvsis of all the modes would prove to be lengthy. 
Additionally, both these modes are reviewed to provide background for an example 
presented at the end of Chapter V. 

In contrast to standard Army guidance, DoD contractor security guidance 
only approves the dedicated, system high, controlled and concurrent security modes. 
The most notable difference is that the multilevel mode is not addressed. Nonetheless, 
concurrent processing of multiple classification categories closely resembles multilevel 
mode requirements addressed later in this chapter. Contractor security guidance 
applies to networks that are developed and/or operated by contractors. [Ref. 36: pp. 
173-175,181-182] 

Physical security requirements for contractor security modes must also be 
based on sensitivity. Above all, physical security protection must meet requirements for 
the highest sensitivity level processed by the system at each facility and remote ternunal 
area. The only exception is that in an approved controlled security mode, remote 
terminals may be secured at the highest level for that site. Nevertheless all systems 
processing with a system high sensitivity of SECRET/CONFIDENTIAL must meet 
physical security requirements no lower than those required for CONFIDENTIAL. 
[Ref. 36: pp. 171-190] 
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d. Procedures 

ADP system procedures that apply to LAN configurations involve 
implementation, access, facility construction, risk management, audits, and emergency 
plans. 

(1) Implementation. First, minimum security standards for the network 
and then accounting and audit trails must be established in terms of implementation. 
Network security standards should then be used to develop system-wide security 
procedures. The procedures should be tested and analyzed along with svstem hardware 
and software to make sure thev are compatible and are cost effective in terms of system 
performance. Once the system security hardware, software, and procedures are 
approved for operation, personnel should be trained. All user and operator training 
should include identification of security responsibilities as well as security procedure. 
ers. 2,13: p. 11] 

Given a network manager and NSO are appointed in the design stages 
to assist and monitor design of security features, a TASO for each site should be 
appointed before implementation and testing at their specific site. 

Mutual agreement on security responsibility between the organization 
controlling remote devices and the remote user organizations must be finalized before 
remote devices are implemented or allowed to access the system. Naturally, established 
security agreements and procedures are also required before internetworking 
[Ref. 13: p.5]. In addition, security/implementation requirements should be checked for 
each user organization and organization chain of command level. This allows 
identification of unique user requirements and priorities. For example, the type of 
organization (headquarters, post, etc.) affects user priorities in terms of who comes on 
line first and what they can do. Unique user requirements may also have an impact on 
implementation/installation schedules, testing, etc. 

(2) Access procedures. Before access procedures are developed, vulnerable 
areas must be identified. Vulnerability information should be available from the system 
design or risk management documentation. 

Controls for personnel access to ADP facilities and hardware during 
and after normal duty hours may include physical and/or manual procedures. Some 
examples are control of keys, control of combinations, continuous closed circuit TV 
monitoring, intrusion detection systems, exterior lighting during darkness, second 


access doors, and fencing. Access procedures should also include visitor controls that 
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include escorts as a minimum, and depending on the processing mode, pre-arrival 
security checks. [Ref. 13: pp. 12-16] 

LANs require protection of system documentation and media at the 
highest system classification level. In addition, file access is based on a “need-to- 
know’. In addition, there must be sanitization procedures before and after contractors 
work at sensitive levels on any ADP system. [Refs. 13,36] 

Password generation should also be based on sensitivity value of the 
system. Special care must be given to password generation, issue, and control. 
Transmission media channels for sending passwords should equal their classification 
level miiNel- l= pie 

(3) Risk Management Procedures. Above it is stated that a risk 
management program must be established for systems handling sensitive information. 
Risk managemient procedures are not standardized because every system is unique. 
Only phases of evaluation are standardized. This includes communications and 
emanations. As a result each command is responsible for it's own risk management 
activities. To determine the nunimum level of protection needed, management must 
identify the resources to be protected and analyze the risk of espionage, sabotage, 
damage, and theft. [Ref. 13: p. 29] 

(4) Audit Procedures. General ADP and network svstem accounting 
procedures are required for job accounting, resource accounting, and customer 
accounting categories. Audit and evaluation procedures required for the accounting 
categories can be separated into manual and automated rosters and logs, internal 
audits, and security verification programs. [Ref. 13: p. 25] 

Data control is an important aspect of network environments and 
distributed systems. Networks require audit trail records for data as it is routed 
through the network. The network manager and NSO should always monitor who is 
on the system and what they are doing. In addition, each network user that processes 
information should have their own data control for their ADP equipment and location 
[Ref. 27: p. 2-1]. Minimum controls include: | 

e Watching schedules and workload arrival times. 
e Automation summary reports to record receipt of data. 


e Separate accounting procedures for classified products. This includes arrival 
records, summary reports, traffic classification logs, etc. 


e Console logs. Identification of all users and time of access. 


e Journalizing of each file accessed by each user and what the file was used for. 


64 


e Input control - determine the file accessed and:and all restrictions (read, write, 
GEC; }. 


e Identifiable output linked to the correct recipient. 

e Printouts produced only at attended printers. 

e Output control logs at remote devices. 

e Scheduling procedures for user requests of large amounts of network resources. 
e Logs must be retained for at least 60 days. 

e Sensitive audit trail data must be retained for 90 days. 


e Over-the-counter batch input/outputs must be reviewed before entering or 
leaving the network facility. [Refs. 13,27] 


All system securitv incidents must be investigated [Ref. 13: p. 8]. Thus, 
the above audit procedures would be an important part of an investigation, as well as 
routine system control. 

(5) Emergency. Emergency procedures for start-up, shut-down, and 
system failure must be planned because the network is especially vulnerable during 
unscheduled termination of operations. Operational security controls must be strictly 
enforced and intensified during these times. In other words, all areas must be secured 
at the highest operating mode level until normal operations begin. Svstem software 
should provide minimal protection for minor interruptions like power surges, keeping 
them as transparent to the users as possible. When an emergency shut-down or svstem 
failure takes place an investigation must begin immediately to determine the cause, 
impact, and corrective measures (if any). Security plans/procedures are needed during 
system recovery to prevent further damage and vulnerability. [Ref. 13: pp. 24-25] 

The Continuity of Operation Plan (COOP) requires off-site secure 
storage for sufficient copies of documentation material, data, and software to 
reestablish operations in the event the originals are damaged or destroyed. The 
Sensitivity requirements for the storage area must be equivalent to the most sensitive 
item stored there. Proper off-site storage requires on-site and off-site rotation and 
Storage of documentation, data, and software to ensure the most recent versions are 
available. System documentation should include network system recovery plans and 
procedures. [Ref. 13: pp. 24-25] 

In addition, emergency text transmission procedures are required for 
national security information in the event secure modes are deactivated or not 
available. [Ref. 29: pp. 10-12] 
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2. ADP Hardware 
a. Computers 

In terms of the actual computer, security guidance is concerned with 
Operation, management, and access of facilities and hardware. 

(1) Faeilities. It was mentioned above that the central facility must be 
secured to the highest system sensitivity level. In addition, direct access to the 
hardware within the facility must be controlled. 

Note that supporting facilities (utilities, air conditioning equipment, 
etc.) should also be secured at the same level as the central computer facility. 
| Ret le sso a) 

(2) Access. Physical access to ADP hardware is covered above in the 
system access section. Some additional requirements are listed below. 

e Regular inspections. 

e Restrict access to network control facilities. 

e Tight control of identification devices (badges, Keys, etc.). 

e Change of kevs and locks on a regular basis. 

e Proper disposal of classified media and documents within a site. 

e Applicable TEMPEST requirements to prevent unauthorized electronic access 
ef. 27: pp. 3-3 = 3-4]. TEMPES I 1s the Mesa namie for the investigation 

and study of emanation compromuse [Ref. 13: p. 

In terms of the “access” procedures in the system procedure section 
above, data file access is controlled by user passwords and identification procedures. 
Thus, access to the generic LAN is controled by passwords and procedures at the 
network center, while another set of controls may be required for access to specific 
computers or computer systems connected to the LAN. This would apply to situations 
where a user has access to a computer with a network interface, but the particular user 
does not have a need or clearance to access the network via that computer. 

In addition, access to audit file information should be limited to the 
network manager, NSOs, and network center operators with a need-to-know. 

In certain situations a systeni may connect to system(s) with a lower 
security Operating mode. The system with the lower security operating mode must use 
approved disconnection techniques whenever sensitive processing exceeds the 
classification of the “connected” system. The same basic requirements needed at the 
system level apply to the component level (sanitization, etc.). Contractors can only use 


software disconnects for sensitivity levels at or below SECRET. The network manager 
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and NSO should predetermine specific channels and/or transmission links for both 
hardware and software disconnects so they can be monitored during the disconnect. 
livers. 22,36] 

In terms of sensitive information, “privately owned computers will be 
used only in a stand-alone configuration.” Privately owned computers cannot be used 
in a LAN, network, or any type of remote connection to a mainframe configuration 
unless it is first accredited. Understandably, all information processed becomes 
property of the Army. The objective is to prevent penetration of a secure area or ADP 
facility. Any PC could contain emanation collection equipment, or if connected to a 
system, enable unauthorized collection, destruction, or alteration of information. In 
contrast, PCs owned or leased by the Army can be connected to any network or Army 
stand-alone system provided they meet system accreditation requirements, assuming 
Army owned PCs are secured and controlled properly. [Ref: 13: p. 10] 

b. Terminal Devices 
Understandably, the sensitivity of information processed determines 
terminal device requirements as well as other component requirements. General ADP 
terminal requirements that apply to the generic configuration are physical area, access, 
emergency, and accreditation requirements. 
(1) The Physical Terminal Area. Networks terminal equipment must be 


protected before and after duty hours [Ref. 13: p. 14]. Normally, 


remote terminal area requirements will be based upon the highest classified and 
most restrictive category and type of material which will be accessed through the 
terminal under system constraints. [Ref. 22: p. 16] 


However, remote terminals in systems controlled or under development by contractors, 
must continuously operate in the highest security class except for terminals approved 
for the controlled security mode. Basic physical needs are similar to the ADP hardware 
and general system considerations addressed above (lights, locks, construction, etc.). 
fei 3o: pp. 177-178] 

Terminal media storage is especially important in LAN configurations 
where the remote terminal device is far from the network center. In remote terminal 
areas all disk packs, tapes, etc., as well as terminal devices, must be secured under the 


maximum approved security level for the remote location. [Refs. 13,22] 
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(2) Terminal Access. Direct access to a terminal device at any location 
can be controlled by a combination of time-outs, locking mechanisms and 
identification verification. Logon time-outs must be based on sensitivity levels. 
Physical and software terminal locking and unlocking must be controlled by system 
operators and authorized by the ADP svstem security officer (ADPSSO), terminal area 
security officer (TASO), or a network security officer (NSO) [Ref. 13: pp. 18,21]. Thus, 
access identification is accomplished before processing begins. [Ref. 22: p. 16] 

Disconnect situations were covered under computer access above. 
Microcomputers and smart terminals approved for temporary connection or 
disconnection procedures, must undergo some type of memory sanitization before and 
after connection. By consequence, accoustic coupling should be mininuzed or 
elinunated because it is harder to audit and control. [Refs. 13,36] 

Internetworking requirements mentioned above for computer hardware 
also applv to terminals. Terminals accessing a systeni or network must meet that 
networks minimum requirements and be approved by network authorities. 

Lastly, terminals that access commercial time sharing computers or 
networks, must have a lockout mechanism or be located in a separate secure room. 
Accredited terminals used for access of commercial systems should be sanitized before 
accessing a classified network. Terminal software and hardware interfaces into the 
same network must also meet accreditation approval. [Ref. 13: p. 14] 

(3) Emergency. The same general requirements mentioned above apply to 
terminals in terms of start-up, shut-down, and failure procedures. Remember, this 
includes full documentation and investigation of system failures and emergency shut- 
downs. [Ref. 13: p. 24] 

(4) Accreditation. One major point concerning terminal device 
accreditation 1s in terms of its relationship to the system or network configuration. In 
Short, Chapter III of the thesis mentioned that terminals, PCs, micros, nunis etc. 
connected to a system) more than 50 percent of the time must be accredited with the 
system [Ref. 13: p. 9]. Thus, terminals that access a network must have accreditation 
equal to the networks requirement for the sensitivity processing level, if they are not 


accredited with the system. Accreditation is covered in Chapter V of the thesis. 
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3. Transmission Hardware 
a. General Transmission Media Considerations 

Transmission media considerations that apply to LANs are ecryption, non- 
encryption security methods, telecommunications plans, teleprocessing audit controls, 
and communications security monitoring. 

(1) Encryption. Encryption is transforming information into a code to 
conceal its meaning. End-to-end encryption is encryption of information at the origin. 
before it enters the transmission medium, and then decrvpting at the destination after it 
leaves the transmission medium. Link encryption is “the application of on-line crypto- 
operations to a link of a communications system so that all information passing over 
the link is encrypted.” [Ref: 13: p. 74] Encryption applies to confidential as well as 
other higher classifications, and is used to prevent unauthorized access of transmission 
media or electronic emanations. [Ref. 20: pp. 36-37] 

All telecommunications transmissions of ADP “record” data must be 
secured by approved encryption in cryptosystems or by PDSs [Ref. 29: p. 3]. 
Moreover, all telecommunications must meet communication security criteria equal to 
the information security requirements, when supporting ADP systems. [Ref. 32: pp. 
6-7] 

Systems under contractor control and/or development that process 
classified information must be encrypted for both inter-facility and intra-facility 
transmission links. However, an approved level of physical security can be substituted. 

Other measures that can be used in addition to encryption include a 
PDS, authentication, proper operator skills and discipline, and general communications 
security awareness. PDSs are discussed under non-encryption methods. 
Authentication is the process of verifying the eligibility of a system (or network) user 
to access information. [Ref. 13: p. 72]. 

(2) Non-encryption Methods. In a multichannel telecommunications 
system (and our generic LAN), the interconnecting transmission links that carry | 
classified data and pass through unrestricted areas must be protected. Thus, a LAN 
configuration may meet PDS approval requirements for classified processing if it is 
within a controlled area with appropriate physical safeguards. If not, physical 
protection is required for all lines routed outside the facility . PDS physical protection 
requirements include: 


e © Special routing, physically isolated from other non-PDS cable media. 
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e Cable aoe must be routed within a secure perimeter or have guard patrols 
assigned. 


e Cable media must be contained on the installation under the using 
commander's control. [Refs. 13,29] 


Because of varied security techniques, locations and applications, each PDS will have 
unique requirements requiring evaluation on a case-by-case basis by approval 
authorities. [Ref. 29: p. 10] 

Disconnect procedures mentioned earlier for protecting classified 
material by hardware and/or software methods, may be authorized by the designated 
approving authority. [Ref. 32: p. 7] 

(3) Telecommunications Plans. Telecommunication plans referenced 
contain general topics, not specific security information. Still, ADP communication 
support plan requirements, that are a part of the telecommunication plan, may 
enhance LAN security planning. Security plans can have an impact on performance 
and cost effectiveness. 

For instance, encryption requirements may have an impact on the 
communication support plan. Encryption requires one more interface process for a 
transmission link, resulting in a slow down in network responsiveness on the encrypted 
links. Also, a given encryption process may require that security-oriented headers be 
added to transmission packets resulting in a net decrease in efficiency. In addition, 
there is extra cost associated with extra components. In sum, the communication 
support plan includes data transmission formats, area and range of transmissions, 
volume of data, and transmission rates with the associated security requirements. 
(Reis 23739) 

In terms of internetwork planning, all requirements for the generic 
configuration’s gateways (and other interface components) would have to meet the 
security requirements of the network to which it was going to be connected. 

(4) Teleprocessing Audit Controls. Batch teleprocessing systems must be 
auditable and controllable. Accounting procedures include internal audits and 
transaction logs. These procedures would be applicable to a LAN configuration 
supporting batch oriented functions. Remaining teleprocessing audit controls are 
covered above under system audit procedures. [Ref. 13: p. 25] 

(5) COMSEC Monitoring. Communications security (COMSEC) 
monitoring is not required but it may provide information for improving network and 
telecommunications security. National Security Agency (NSA) approval is needed. 
(Ref. 30: pp. 4-5] 


70 


b. Interface Hardware 

There are no specific LAN device requirements mentioned for interface 
components. Interface requirements would parallel standard ADP _ or 
telecommunications requirements depending on the device characteristics. For 
example, a controller could resemble a minicomputer and would be subject to the same 
secure protection. Naturally, network and telecommunication interoperability and 
standardization should be a goal of all services and agencies. Inter-agency awareness 1s 
required to accomplish this, so requirements of all agencies must be reviewed whenever 
any internet is planned. [Ref. 13: p. 32] 

Even though each organization involved in a telecommunication network 
must be aware of each other’s security requirement, there 1s one organization that 
provides approval. From all information presented, the system supporting the most 
sensitive processing has the ultimate security authority. [Ref. 22: p. 20] 

4. Software 
The software requirements addressed by the guidance reviewed for this thesis 
is ADP oriented; there was no mention of network protocols. The purpose of this 
thesis involves identifing security guidance pertaining to LANs. Thus, general 
Statements about utility, application, and operating system software are presented here 
with comments about their relation to protocols. 
a. General System Software. 

Utilities, executive routines, security routines, and operating systems all 
support the objective of obtaining a secure system. In general, each must maintain 
separate user and master modes, identify and verify terminals before they are allowed 
to process, provide time outs, maintain audit trails, etc. The ultimate goal is 
prevention of unauthorized access. Thus, this type of software must be protected and 
controlled at the highest sensitivity level associated with the system, whether it is 
located on or off (disk, tape, or other media) the system. Protection levels remain in 
_ effect as long as the software is used on the classified system. These restrictions also 
apply to contractors. 

Use of software security packages should be based on cost versus level of 
security protection provided. Moreover, classified data cannot be protected by 


commercial software alone. 
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b. General Operating System Functions 

In simple terms a computer system is controled by the operating system 
which in essence, is a collection of system programs. The operating system and 
associated system software provides many of the basic internal security features 
required for a computer and the system in general [Ref. 13: p. 75]. Basic requirements 
include partioning areas of memory by classification level with capabilities for control 
of interrupts in a way that will enable preservation of data integrity within memory. 
Also, an operating system should have the capability to provide memory bounds 
checking when information is transferred. Identification of all users and devices active 
in the system must be provided. 

c. Application Software 

Commercial/purchased software approved for unclassified or lower, or 
contractor produced software. can only be introduced into the svstem during classified 
processing in a read-only or write-protected manner. [Ref. 36: pp. 182-183] 

Data base management systems (DBMS) must include protection at least 
down to the record level to be used for classified data, but the element or field level 1s 
preferred. Also, a DBMS must have a journalizing capability and produce it’s own 
audit trail if it bv-passes the system audit trails. The goal is to be able to track activity 
to the lowest possible level [Ref. 13: p. 10]. It should be noted that software audit 


procedures (logs, files, etc.) can be automated, manual, or a combination of both 
[Ref. 22: pp. 26-29]. 
ad. Protocol Software 

For the purpose of this thesis, interface software refers to protocols, but 
before proceeding with protocols a review of some definitions are in order. Executive 
software controls include input/output controllers, operating systems, and ADP 
equipment. Utility software handles routine merges, sorts, and other processes for 
executive and applications software. Application software is strictly functional user 
applications. Operating systems consist of a set of utility and executive routines that 
control hardware resource allocation and programs, i.e., the basic functions of the 
computer system. | Refs: 3,135 ppeoUsnte ssl 

In Chapter II, a protocol is defined as a set of rules that govern data 
communications transmissions. Actually, the rules transform into requirements and 
specifications for the executive, utility, and application software that control network 


interaction. First, individual systems accessing the network must have their own 
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Operating system that handles protocol hardware and software requirements. Included 
would be ADP and transmission interface requirements. [In turn, ADP and 
transmission interfaces would be required to have appropriate security features. This 
provides functionally secure transmissions throughout the system. Hence, the protocol 
causes a network synergy. In other words, when all specifications are met, the protocol 
rules produce an “operating system effect” that controls the entire network. Thus, the 
protocol is protected via the implementation of the other system components and their 
corresponding security requirements. 
o> PA 3: MULTILEVEL OPERATION. MODE - GUIDANCE 
REQUIREMENTS FOR NETWORK COMPONENTS 
Component areas addressed in this section are multilevel security mode specific. 
Reference the previous sections about general requirements for topics not covered here. 
1. Configuration Considerations 

The multilevel security mode consists of concurrent access to various types 
and categories of classified information, concurrently stored and accessed by users with 
different clearance levels and need-to-know. Consequently, many users may not 
possess a security clearance that equals the level required for the most sensitive 
information processed and stored on the system. 

The operating system and associated system software is the component that 
handles multilevel processing [{Ref. 13: p. 75]. However, there are multilevel LAN 
configurations that use a combination of hardware and software to obtain a secure 
multilevel environment [Ref.37: p. 75]. It is possible that either of these 
hardware/software configurations could be accredited. 

In addition, network configurations are considered more vulnerable than other 
ADP configurations because they “require precise control of complex interactions, and 
iiem probability Of system error is greater. [Ref. 13: p. 7] In other words, the 
distributed processing and storage of data makes the system more vulnerable. Password 
generation, for instance, may be more complicated to manage on a network than a 
stand-alone ADP system. Yet, in a multilevel network configuration even more 
attention to password generation, assignment, access restrictions, etc. is required. 
ects 13; p, 19] 

2. Sensitivity and Operating Mode 

Multilevel security processing is prohibited for any CS! or CS2 system 

without the written approval of the Assistant Chief of Staff for Intelligence (ACSI). 


This mode would be appropriate for separatng SECRET/CONFIDENTIAL (CS3), 
highly sensitive (includes Privacy Act data), sensitive, and nonsensitive information. 

As mentioned earlier, contractor security guidance does not literally mention 
multilevel security, although, it does mention concurrent processing of multiple 
classification categories. Concurrent processing means proper and _ controlled 
segregation of security classifications. It refers to storage of more than one security 
classification within the same system. As a result, it does not specifically address 
actual user interaction. The security requirements parallel multilevel guidance. 
(Reiss 32,36] 

3. Procedures 

In a multilevel environment continual system reviews are required to ensure 
that system access control limits users to only the resources they require to perform 
their duties and to information they “need-to-Know”’. In terms of passwords, 
classification is “according to the system access to which the user 1s authorized and the 
terminal from which the activitry is initiated.” [Ref. 13: p. 19] Moreover, remote 
terminals can have access to the system “only from terminals designated and protected 
for the appropriate level of classified processing.” [Ref. 13: p. 19] 

4. Software - Operating System 

Different multilevel operating svstems have been approved at different 
sensitivity levels by NSA. Yet, a particular multilevel operating system may not be 
approved for all applications at a given classification level. Moreover, the “system 
effect” may reduce over all multilevel sensitivity performance. As a result, a multilevel 
Operating system approved for a particular sensitivity level may not maintain that 
sensitivity level for all applications. 

D. PART 4: SYSTEM HIGH MODE - GUIDANCE REQUIREMENTS FOR 

NETWORK COMPONENTS 

Component areas addressed in this section are svstem high security mode 
specific. Reference previous sections of this chapter, excluding the multilevel section, 
about general requirements for topics not covered here. 

1. Configuration Considerations 

A system high configuration requires all systen. components to be protected at 
the highest security processing level. All personnel accessing the system have the 
“system high” security clearance, but may not have a need-to-know for all information 
on the system. [Ref. 13: p. 75] 


The system high mode lends itself to the “peripherals/systems” approach which 
can be applied to the generic LAN configuration. The peripherals/systems approach 
requires that all security considerations must be addressed during development, 
implementation, and operation in terms of all components. Remember that temporary 
waviers are possible. [Ref. 13: p. 32] 

2. Sensitivity and Mode of Operation 

Guidance requires that need-to-know controls must be contained within the 
ADP system’s operating system hardware/software. Unlike true multilevel operating 
system requirements, system high does not require memory partitioning or other 
memory unique control functions in the multilevel sense. 

A LAN configuration operating in a system high mode connected to a system 
or network with a higher classification, could be physically disconnected at the 
gateway/interface during processing at the higher classifications. Likewise, a svstem or 
network connected to a LAN with a higher classification could be disconnected when 
the processing classification level of the LAN exceeds it’s own. [Refs. 13,36] 

Another possible mode of operation identified bv guidance involves actually 
temporarily adjusting the total system operation to a higher security level if all security 
requirements for that level are met and approved. The system must then be returned 
to it’s original state (declassified) when processing 1s complete. [Ref. 32: p. 4c] 

System high operating mode restrictions include: 

e No SIOP-ESI processing. 


e SCI eet be processed when requirements of DIAM 50-4 or DOD C-5030-58M 
are met. 


e Adequate security for CS2 and CS3 systems. 


e Can, be specifically approved by the accreditation authority for “highlv 
sensitive’ svstems. Password security is mandatorv. 


e Can be specifically approved by the accreditation authority for “sensitive” 
systems. Password security is mandatory. [Ref. 13: pp. 7-8] 


Thus, procedures for password generators and control should be carefully planned and 


implemented. 


E. SUMMARY 

LAN guidance requirements covered in ths chapter must be applied to a 
particular configuration so the proper security features can be mapped into the 
hardware, software, transnussion medium and interfaces, and the overall system, during 


design and implementation. In doing this, the ultimate degree of access flexibility and 


ie 


system security will depend on the sensitivity level and mode of operation. The 
objective is to apply security guidance requirements to a particular LAN to obtain 


accreditation. 
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V. LOCAL AREA COMPUTER NETWORK APPROVAL 
METHODOLOGY 


A. INTRODUCTION 

Once the network objectives are set and risk management analysis is complete, an 
adequate sensitivity level can be determined that eventually leads to a security 
Operating mode for the network. The final operating mode designation is approved 
only after it meets the guidance requirements presented in Chapters III and IV. 
Chapter V refocuses the guidance reviewed in the previous chapters by highlighting 
some important areas of the guidance and the generic configuration in terms of the 
accreditation process. The purpose is to point out general network areas that must be 
addressed for accreditation and their basic impact on the configuration; system. 

First the accreditation process is defined and summarized in a general sequence 
of steps. This includes a review of accreditation policy makers; organizations, and 
network and ADP security positions at the operational level. The last part of the 
accreditation review addresses the part of the accreditation process covered bv the 
thesis. | 

System configuration considerations and requirements for sensitivity, network 
control, management, procedures, significant applications, and future upgrades are 
covered next. More system component considerations are then presented for hardware, 
software, and terminals. 

The chapter ends with two examples of alternatives that illustrate how the 


designated network security mode can affect the configuration design. 


B. ACCREDITATION OVERVIEW 
1. Background 
a. Definition 
In a pure sense, accreditation is the actual “approval” to process sensitive 
or classified data. In the real world of automated system development and 
implemention, accreditation is the process of collecting and analyzing security related 
information for approval of security requirements for networks, ATSs, and computer 


systems. It includes submission of specific information to an approval authority for 


al 


review and analysis, and any required system review meetings and inspections. The 
process ends when the accreditation authority grants a specific system permission to 
process specific level(s) of sensitive information. The accreditation authority is the 
official designated to approve an automated system for processing of sensitive 
information. As mentioned in Chapter I, The accreditation authority for systems 
processing critically sensitive levels of information is the HQDA or MACOM 
commanders (general officers), depending on the system. For highly sensitive 
information, installation, post, or field operation commanders can be the accreditation 
authority. At the sensitive level the heads of the data processing activities (DPA) or 
centralized office automation agencies may be the accreditation authority. 
Nonsensitivity systems do not need accreditation. [Ref. 13: pp. 6,30,71] 
b. General Accreditation Goal 

The goal of accreditation is to ensure that the system has security features 
that correspond to the level of protection required for information processed by the 
system. The idea is to provide enough flexibility in accreditation requirements so that 
the protection is affordable and has minimal impact on svstem efficiency and capacity 
given the unique circumstances of the system. 

c. Applicability 

Accreditation is applicable to all Army networks as well as computer DPAs 

and ATSs, except for: 
¢ Computers embedded in combat weapons systems. 
e Unclassified data or signals processed on analog computers 


¢ Programmable calculators and _mathematical processors without external 
storage and text processing capabilites. [Ref.. 13: p. 30] 


ad. Categories 

Sensitivity levels identified in Chapter III are used to categorize automated 
systems. The variation in types of systems, functions, and installations requires 
different accreditation standards and procedures for each sensitivity level as well as 
each unique system. Single-sensitivity level system accreditation is relatively straight 
forward in terms of security requirements - maxinium category requirements apply to 
the entire system. However, for multiple sensitivity levels the system will be accredited 
at the highest level, but subsystems may establish policies and procedures to operate at 


their individual sensitivity levels. [Ref. 13: p. 30] 
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2. The Accreditation Process 
Accreditation is explained in AR 380-380 and applies to all Army DPAs, 
ATSs, and networks as stated above. All accreditation information covered in this 
chapter is found in AR 380-380. The basic requirements of the accreditation process 


are Summarized in the next section. 


C. ACCREDITATION REQUIREMENT SUMMARY 

The basic requirements of the accreditation process follow. A general flow 
diagram of the process that represents these requirements is illustrated in Figure 5.1. 
ver. 13] 
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Figure 5.1 General Accreditation Process and Requirements. 
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1. Validated System Need and Requirements 

Identify and validate the need for the network and determine system 
requirements. In short, a need for a system has been determined because of a 
deficiency, outdated system, technical opportunity, change in threat, or a chance to 
reduce operating costs. Moreover, a tentative system is at least designed. 

2. Statement of Accreditation Objectives and System Goals 

Preparation of a statement of accreditation objectives and system goals is 
required. It must include a validation and review of the need for the system, the nature 
of mission, and other factors concerning accreditation. 

3. Risk Management Analysis 

Conduct a risk management analysis to identify risks and countermeasures, 
and then formulate a detailed cost and benefit analysis. When complete, a review 1s 
conducted so commanders/managers can determine system sensitivity and appropriate 
countermeasures. Risk assessment and analysis must be documented and protected at 
the appropriate sensitivity level. 

4. System Configuration and Operation 

Documentation must be compiled with the key security considerations forming 
the basis of accreditation, and a detailed description of proposed operations. Note that 
planned procedures used between processing modes/levels must be included for Periods 
Processing and Controlled Security Modes. | 

5. Implementation Plans 

In addition to the initial implementation plan, and review plans, similar plans 
for additional security features must be developed and include near term goals, long 
term goals, overall mission related goals, and future plans in relation to the 
organizations the system supports. 

6. Standard Test and Evaluation (ST&E) 

ST&E plans must include purpose, scope, objectives of the test, and test 
methodology. Test team organization and responsibility assignments must be 
identified. Actual testing must validate all procedures and data processing (includes 
applying inaccurate data), and challenge security features with and without knowledge 
of site personnel. Emergency testing procedures must include unscheduled shutdowns 


as well as other adverse conditions. 
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7. Plans for ST&E Results 
Separate plans for results of ST&E must also be documented. Test findings 
must include comparison of expected results to actual results. Test findings, 
conclusions, and recommendations must be submitted with accreditation 
documentation. 
8. Problem Areas 
A statement of continuing problem areas must be prepared for vulnerabilities 
not fully covered (or not addressed) by security features. Waviers or accreditation 
disapproval may result. 
9. Other Documentation 
Documentation description of the DPA, ATS, or LAN such as reports of 
outside agencies, FSP, ST&E, etc. is required. 
10. Accreditation Documentation 
Preparation of accreditation document in the format presented in Appendix I 
of AR 380-380 is mandatory. It must be prepared and submitted to the accreditation 
authority so she/he has enough time to review it before the formal review at the 
accredidation level. The accreditation document will contain information identified in 
the requirements above and also factors motivating accreditation and nature of the 
mission, reasons for rejecting other system and security alternatives, and attachments. 
Required attachments include the automated data processing system security officer 
(ADPSSO) appointment orders, copies of all inspection reports, and supporting 
documents referenced by the accreditation document. 
11. System Operating Level Command Review 
Formal command authority review at the operating level is required. A 
MACOM statement must be attached stating the accreditation document package was 
reviewed and examined, but only when the accreditation authority is the ACSI, 
HQDA, or higher. A recommendation must be included at these levels. 
12. Accreditation Authority Review 
Formal command authority review by the accreditation authority resulting in 
a decision is mandatory. If approved, a written accreditation statement is required 
from the accreditation authority. Or, the system could be disapproved with a 
temporary wavier or exception. A future accreditation review is required to ensure 
discrepancies are corrected. Most of the process must be repeated if the wavier is 


disapproved. 
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13. System Implementation and Operation 
Implement system or begin operations (existing system). At this point, the 
operating site must maintain a copy of the formal accreditation document. Note that 
the accreditation process must be complete before sensitive or higher level operations 
can begin and the appropriate authority must issue a formal dated statement. In 
addition, the NSO must periodically review, test, and reevaluate network security for 


periodic accreditation reviews. 


D. ORGANIZATIONS INVOLVED WITH APPROVAL AUTHORITY 

Accreditation is addressed at many levels of the Army, from the commanders, 
managers, and staff who develop and implement policy to the commanders and 
operators of ADP systems. 

The accreditation authority for a specific system is selected from the chain of 
command that the system falls under. The level of rank (and organization) in the chain 
is determined by the sensitivity designation of the information in the ADP system or 
network. The sensitivity levels and corresponding accreditation authority selection are 
addressed below. For example, in systems processing critically sensitive levels of 
information, the accreditation authority would be a general officer from the HQDA or 
MACOM. The system sensitivity and corresponding accreditation authority levels are 
summarized below. [Ref. 13: p. 6] 

e CRITICALLY SENSITIY 
- CSI -- Headquarters, Department of the Army (HQDA) 
- CS2-- MACOM commanders and heads of DA staff elements 


- C$3 -- Same as CS2 except can be delegated to general officer commanders 
of their subordinate elements. 


e HIGHLY SENSITIVE -- Commanders of installation, post, field operation 
support activities, or staff support activities. 


e SENSITIVE -- ADP and centralized office automation activity heads. 

e NONSENSITIVE -- Accreditation not required. 
NOTE -- Multilevel systems require ACSI approval regardless of sensitivity level 
(above NONSENSITIVE). 


E. SUMMARY OF ADP SECURITY POSITIONS 
General lists of the ADP policy and security hierarchy, and ADP operating level 


security positions are listed in this section for the reader’s information. 
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a. ADP POLICY AND SECURITY HIERARCHY 


ASSISTANT __ _ SECRETARY OF Tae ARMY (FINANCIAL 
MANAGEMENT) (ASA (FM) ) - senior policy offical for Army ADP. 


ASSISTANT CHIEF OF STAFF FOR INFORMATION MANAGEMENT 
(ACSIM) - manages overall Army automation program. 
I 


aeololaN! CHIEF OF STAPF FOR INTELLIGENCE (ACSI) - develops 
and implements the AASP; ensures compliance with ADP directives; identifies 
and addresses ADP. problems; deternmunes applications of new technology; 
provides, guidance for preparation of new svstems; and manages overall 
automation security. 


HEADS OF _ MAJOR COMMANDS (MACOM) - manage/administer all 
aspects, of ADP within their relm for key ADP personnel which include data 
processing activity (DPA) commanders and managers, SSMs, ADPSSOs, NSOs, 
anc oi 


SECURITY PROGRAM MANAGER (SPM) - ape oie for each HQDA 
agency and MACOM,; manages AASP; appoints SSMs and ATSSMs. 


mee oly CHEIP OF STAFF FOR PERSONNEL (DCSPER) -_ provides 
policy. and proceaures for physical security plans; advises ACSI on ADP related 
security fraud. | 


Por vANDING GENERAL. US. ARMY INTELLIGENCE AND 
SECURITY. COMMAND (CG, INSCOM) - implements Automated Data 
Processing Svstem Security Enhancement Program (ADPSSEP): provides tech 
guidance and assistance for communications security, emanations control, and 
counter intelligence. 


b. ADP OPERATING LEVEL SECURITY HIERARCHY 


SYSTEM SECURITY MANAGER (SSM) and Automated Telecommunication 
Svstem Security Manager (ATSSM) - advisor to conmmander_on ADP securitv 
matters; integrates securitv actions of individual svstem ADPSSOs and TASOs; 
maintains inventory of post, installation, and tenant ADP accreditation, 
including their status. 


SYSTEM SECURITY CONTROL OFFICER (SSCO) - appointed by 
organization as primary point of contact for all security matters for central. 
system development activities; reports to ATSSM; responsible for all aspects of 
policy and procedural guidance for systems assigned to him;her. 


MeMOMATIC DATA PROCESSING SYSTEM SECURITY OFFICER 
(ADPSSO) - basically the same responsibilities as a SSCO. except_for ADP 
equipment at a single site; would report to or coordinate with a SSCO if the site 
was connected to a network. 


NETWORK MANAGER - designated when two or more ADP systems are 
linked together for network or distributed operations. 


NETWORK SECURITY OFFICER (NSO) - responsible for all aspects of 
network security; reports to the network manager. 


TERMINAL AREA SECURITY OFFICER (TASO) - responsible for all 
aspects of terminal and network Secunty in an assigned area; may report to 
SSM, ATSSM, SSCO, ADPSSO, or NSO depending on the type of system the 
terminals are connected to. 
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THE ACCREDITATION PROCESS - SYSTEM CONFIGURATION AND 
OPERATION 


This thesis has addressed the security guidance considerations that apply to the 
system configuration and operation; the fourth requirement in the overall summary of 
requirements described above. In short, the thesis is intended to serve as guide for 
identifying network guidance requirements for the system components addressed in the 
fourth item of the requirement summary above. In a real network the requirements 
would be applied to the specific components and their specifications. Here, given the 
generic configuration described in Chapter II, actual application considerations will be 
general. 

Activity for satisfying the fourth requirement item in the summary above begins 
with a description of proposed operations. This includes explaining actions taken to 
minimize risk and procedures to be used throughout the network. Moreover, areas 
addressed must include description of system hardware and software, significant 
applications and svstem interfaces, location of all remote devices, and features of 
operational and securitv modes in existence and to be implemented including requests 
for waviers. Features that must be included in accreditation documentation are listed 
below. [Ref. 13: pp. 40,58] 

e¢ Security features and management of components. 
_@ Major executive and application software. 
e Encrypted/non-encrypted terminals and devices. 


e Procedures for log-ons, changing sensitivity processing levels (periods 
processing), etc. 


¢ Communications - transmission links and associated components. 
e Personnel - not addressed bv thesis. 

e Security of svstem documents/documentation. 

e Physical and Environmental security. 

¢ A-completed Facility Security Profile (FSP). 

Also, problems must be identified that are disruptive of accreditation processes, 
tasks, and time tables. In terms of the system, acceptance of each risk that cannot be 
minimized must be identified with a description of the situation and waiver request (if 
appropriate). [Ref. 13: p. 58] 

Once descriptions are complete, an initial implementation plan must be 
completed. Such a plan is beyond the scope of this thesis, however, it must provide a 
description of: 


e Security phases. 
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e Milestones. 
e Initial/final operational capabilities. 
e Task interdependencies. 


e St responsible for accomplishing milestone-related tasks [Ref. 13: p. 


In addition to normal accreditation reviews, reaccreditation is required for all 
networks and ADP systems within 3 months when any of the following occur: 
1) Major system or “mainframe” addition or replacement. 
2) “An increase in sensitivity category or level.” 
3) “A significant change in the DPA/ATS which requires a more complex mode 
ree (para 1-13), or a more complex operational service mode (para 
4) Major operating system or executive software. 


5) Internal and external security violations, integrity violations, or anv situation 
that invalidates the accreditation. 


6) Significant changes to the DPA/ATS physical structure. [Ref. 13: p. 31] 
G. METHODOLOGY IN_ RELATION TO SECURITY REQUIREMENTS: 

SYSTEM CONFIGURATION CONSIDERATIONS/REQUIREMENTS 

In sum, guidance presented in the earlier chapters 1s in general terms so it can be 
easily applied to most automated svstems and at the same time provide the appropriate 
flexibility. Thus, the guidance should apply to most aspects of each system 
component. However, because networks are not specifically addressed, LANs must 
derive guidance from standard computer (ADP) and teleprocessing requirements. This 
indicates that much of the specific responsibilities for security requirement 
determinations, for accreditation of a specific network, are left with the ultimate system 
user/sponsor. 

The thesis has presented the “generic” LAN configuration and associated 
components (Chapter II) to match the “generalness” of the guidance reviewed. This 
approach generates more system level considerations because specific vendor 
hardware/software analysis is beyond the scope of this thesis. Consequently, system 
considerations and requirements for sensitivity, network control, management, 
procedures, significant applications, and future upgrades are covered next. 

1. Sensitivity 

It is mentioned throughout this thesis that sensitivity is the driving force 
behind anv secure processing mode. As a result, the official sensitivity designation sets 


the scope for system development and implemention in terms of accreditation. 
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In the generic LAN, as in any system, the information contained therein, is 
the ultimate vulnerable area. All guidance pertaining to sensitivity designation 
determination applies. The basic security sensitivity level definitions (critically 
sensitive, highly sensitive, etc.) and security processing mode (multilevel, system :high, 
etc.) requirements are clear. In a network context, LAN sensitivity mode determination 
would involve the same considerations. Thus, there are no gaps in the “non-network” 
oriented guidance in terms of functional sensitivity determination. 

The areas addressed in the first three requirements in the accreditation 
requirement summary should result in an adequate system sensitivity designation. 
Nonetheless, the component parts of the network should NOT be ignored. In other 
words, sensitivity of each component part should be considered in terms of the overall 
system sensitivity designations. In doing this, it may be better to first concentrate on 
security needs for specific component areas to identify variability or constraints that 
would affect the overall system. before settling on a final system designation. 

In terms of accreditation, the purpose of the system sensitivity designation is 
to protect information from unauthorized penetration via the functional sensitivity 
mode which 1s the most cost effective. Cost is used here in relation to actual system 
impact of the designation, not in terms of actual dollar cost. For example, the actual 
dollar cost would be the actual price of some cryptography hardware, while the impact’ 
cost might be the manpower, diverted from “productive” activities, required to 
manually distribute sensitive crypto-keys. Impact refers, for example, to how the 
sensitivity level might affect utility in terms of configuration design, operating 
procedures, and the range of system applications. 

Each of the designated modes have different operating requirements which in 
turn vary the cost of a desired configuration. More sensitivity levels and access 
flexibility would require a more complicated system given todays guidance and 
technology. The dedicated mode would affect the generic configuration the least 
because there is one sensitivity level dedicated to one group of users. System high is 
similar to the dedicated mode with the exception of extra procedural controls required 
to determine the “need-to-kKnow”. In contrast, the controlled security mode would 
require, for example, more procedural controls and more complicated audits, 1.e. “cost” 
more. Moving on to the other end of the spectrum, multilevel would cost more in 
terms of the number of sensitivity levels and the way that the multilevel environment 


was achieved. In other words, via a true multilevel operating system; or separately 
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configured LANS, for each level, acting as one system transparent to the user. In 
addition, extra approval activities are required. For example, the ACSI must know of 
intent to use a multilevel environment before milestone “zero”. [Ref. 13: p. 7] 
.2. Network Control 

Network control in the generic LAN context should be most concerned with 
device interfaces and connections. Administrative and electronic access, audits, and 
monitoring activities must be well planned and designed. The generic LAN requires a 
central control facility for tight control of these activities. In the generic configuration 
and other systems alternate control facilities may be desirable as well. 

a. The Central Control Facility 

Just as is a central computer room in a stand-alone ADP system, the 
network control center (NCC) is vulnerable in terms of physical and electronic access, 
and environment preservation. 

All physical requirements for a normal ADP computer center apply to the 
generic LAN NCC facility regardless of which devices work together or separately in 
terms of network control and the classified operating mode. This includes proper 
construction materials and design of the building(s) and room(s), physical hardware 
protection, and TEMPEST shielding. Remember that the supporting utility facility 
must be protected at the same level as the NCC, i.e. svstem high. In addition, all 
requirements pertaining to facility access and physical storage of media, both offsite 
and in the facility, apply. A system high security environment must prevail in the NCC 
because it is the physical location that not only monitors and controls the network, but 
also maintains the network security features (audits, system software, etc.). 

There is no gap in guidance in terms of physical central configuration 
control of a distributed system through a NCC because all the requirement areas 
mentioned above for standard ADP systems apply to the generic LAN. Thus, the 
NCC should be protected at the system high sensitivity level in the same way that a 
mainframe environment would be. Performance and reliability are enhanced when 
equipment supporting the control of the network are secure to a level that ensures 
continued operation at a given security mode. . 

b. Remote Control Facility 

If the generic configuration did consist of an alternate control facility it 

would require the same basic requirements as the central NCC. It could serve as a 


back-up, alternate, or replacement when the central facility is destroyed or damaged. 
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Obviously, it would require the same type of network control components and 
therefore the same security requirements. 
c. Interfaces 

From a system standpoint, an interface could be a simple port on the back 
of a terminal, or some sort of trusted interface processor that performs buffering and 
security functions on the information passing to and from the system. Vulnerabilities 
are further magnified in terms of a gateway or bridge to another network. Vulnerable 
areas include penetration of interface software and possible signal emanations. 

Requirements for encryption, disconnects, and a PDS apply to the generic 
LAN configuration in one way or another. Army communications security policy 
requires security by either PDS or encryption for automated sensitive information. In 
reality, a combination of varying degrees of both are acceptable depending on the 
system sensitivity level, the application, and the actual configuration. In some 
Situations a disconnect is acceptable. As a result of this range and variablity, the 
accreditation process requires a description of significant interfaces. 

Given the nature of the guidance reviewed, there are no direct references to 
ADP network interfaces, but from all information they are, again, treated in the same 
wav as ADP and telecommunications networks. This point is a major concern because 
ina LAN environment a major interface, like a trusted interface unit or a gateway, has 
a major impact on the security of a LAN. These units control and restrict 
communication to and from various parts of the network. Thus, it is important that 
they are protected at the network system high. [Ref. 37] 

Assuming the generic LAN will process sensitive data, as mentioned above, 
encryption, requirements for a PDS, or a combination of both will be required for 
accreditation. 

(1) Interfaces in a PDS. Interfaces between all network devices and 
components require shielding and physical protection just as the other network 
components. In addition to the physical device or cable, the device ports can emanate 
signals that can be compromised. Thus, every port, interface device, transmussion 
medium, as well as every ADP device must be physically shielded and protected. 

Low voltage processors may be an alternative to tempest shielding in 
some applications. These processors do not need TEMPEST shielding because 
emanations are so weak, but any attached CRT screens would. Thus, low voltage 


processors may replace TEMPEST shielding in “black box” or stand-alone processing 
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devices like controllers or interface units. In essence it would require system high 
protection with the only access being surveillance and maintence. [Ref. 35] 

Note that the generic configuration (Figure 2.1) illustrates separate 
lines leaving the NCC. In reality, these lines would pass through a multiplexer and be 
routed bv a single trunk line to other rooms and buildings (Figure 5.2). A trunk is a 
group of communications lines enclosed in a single casing that usuallv connects two 


switching centers or multiplexers. [Ref. 3: p. 381] 
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Figure 5.2. The Generic Configuration with Multiplexers. 


(2) Interfaces and Encryption. Encryption is one of other major 
alternatives that has an impact on the system interfaces. Assuming the sensitivity level 


requires encryption for the entire system, an encryption device would be required for 
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each line going into or out of the CBX, as well as each device on the network (Figure 
5.3). Extra fine tuning of the network would be required for synchronization between 
the encryption devices and the CBX, and all device interfaces on the system. 
Moreover, each encryption device requires a special key for encryption. An encryption 
key 1s a sequence of symbols that control the code scrambling mechanism within the 
encryption unit. The actual Key could be a series or combination of symbols, letters, or 
nunibers. A common procedure ts to change the key at least on a daily basis. Without 
the correct key, a device cannot communicate because it would not be synchronized 
with the other devices. Synchronization is further complicated by the distance between 
devices. The farther any two devices are apart, the harder it is to synchronize. 

(Refs. 13,35] 

(3) Impact of System Interface Protection on the LAN. In terms of the 
overall network configuration. interfaces are the glue that tie the system together. 
Thus their overall impact on network security must be addressed. 

In a pure LAN PDS, physical protection of interfaces should not affect 
LAN performance in terms of through-put or efficiency. Extra procedures may be 
required to phvsically reach a device because it is physically protected or guarded. The 
major concern would be ensuring that metal protection devices do not emanate signals. 
For instance, power sources may require noise filters, and conduit may have to be 
composed of sections of nonconductive material. [Ref 35] 

In contrast to a PDS, a LAN that was entirely encrypted would 
experience an overall reduction in reliablity and performance in terms of slower data 
rates and response times. Historically, networks with cryptographic devices are less 
reliable than they would otherwise be, because cryptographic synchronization requires 
more maintenance and fine tuning. From a system view, cryptographic device is one 
more hardware/software fail point in the network. [Ref. 35] 

An entirely encrypted network would also require procedures and plans 
for “crypto-key” changes and generation. As mentioned above this is critical, the key 
should be changed regularly because a site or device must have the right key to operate 
on the network. Crvypto-key restart procedures would also be needed in case a key 1s 
lost by any network user. Still the most important procedures would be for the 
electronic or manual distribution of keys. Electronic distribution would require a 
specially secured and approved line. Above all, any “crypto” procedure, device, or 


software must be protected at the system high security level. [Ref. 35] 
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Figure 5.3 The Generic Configuration with Cryptography. 


Do not forget that a partial or total combination of cryptography and 


PDS techniques can be used. The major advantage of cryptography is that encrypted 


91 


information can be transmitted over any transmission link as long as the receiver_has.—_._. 
the same level of protection as the transmitter (and the right key). The major 
disadvantages of encryption were addressed above. Conversely, the major advantage of 
a pure PDS is that in most cases system reliability and efficency are not affected. 
However, every part of the network must be contained within a secured physical area 
and shielded. Thus physical access procedures and emanations may make access 
cunibersome. 
d. Disconnects 

Accreditation documentation must account for any disconnects planned in 
the svstem. Access and connection/disconnection procedures must be included for 
connecting to networks/systems of higher, lower, and equivalent security classifications. 
Moreover, the devices to be connected or disconnected and the type of disconnect(s) 
must be specified. Overall impact on operations should also be addressed. 

e. Physical 

Physical LAN considerations for accreditation are for the most part 
straight forward. It was mentioned in earlier chapters that descriptions and locations 
of all devices are required in the accreditation package. This includes floor plans as 
Well as configuration diagrams like the generic configurations presented in this thesis. 

If the generic LAN was to be secured by meeting only PDS requirements, 
TEMPEST shielding for all hardware and/or rooms and even buildings would be 
required. Again, depending on sensitivity, a combination of shielded rooms and 
unshielded rooms with shielded hardware, may exist within the same building. Cable 
media running outside of shielded rooms or buildings would also have to be shielded 
and protected. Moreover, special attention must be paid to certain types of conduit 
and other media protection devices because they can cause emanations. In addition, 
proper physical controls would have to be maintained in terms of area security. The 
physical area could range from a room to an area containing many buildings. [Ref. 35] 

One major consideration is the physical placement of the NCC within a 
building, and depending on the physical distance from other network sites, on an 
installation. Obviously a central location within a sturdy building or within a protected 
area perimeter is ideal. Realistically LANs are not always located in an ideal 
environment. Variations in physical controls and access barriers may have to be 
adjusted to meet a given security operation mode. For instance, if a network was 


located in a building that was not located in a central position on the post, maybe 
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emphasis on physical perimeter safeguards (fences, guards, lighting, etc.) along with the 
normal building security requirements, would meet accreditation needs. Remote sites 
would be subject to the same basic requirements as the NCC unless the network was 
Operating in a controlled or multilevel mode. With more than one security mode, 
placement is still critical because any node or terminal is a penetration target, but less 
actual physical security would be required for sites approved to operate at less than 
system high. Remember placement and/or protection considerations for the network's 
power source are equivalent to the NCC. 

On a lower physical level, placement of devices within a facility should be 
done in a way that will maxinuze protection. In addition to “where”, placement should 
be noted in the accreditation documentation in terms of doors, windows, and 
transmission media routing. 

Physical routing of transmission media should indicate what transnussion 
links, or parts of the links, are shielded, protected, and/or encrypted. Note that 
protection may vary with the security operating mode of a particular link. The way in 
which the media links are protected and accessed should also be addressed in the 
accreditation. For example, if a LAN trunk is routed under or near a well traveled 
road to provide better surveillance, detailed procedures would be required as to how, 
when, and why the trunk should be accessed for inspection or maintenance. 

3. Network Management Appointments 

In relation to accreditation of the generic LAN only one network manager 
would be needed. That person may be part of an internet management hierarchy if the 
LAN maintained an active gateway to such a system. In terms of security, the generic 
LAN requites a NSO and TASO. ADPSSOs are warranted where ever one of the 
connected computers is large enough to operate and support a standalone mainframe 
environment outside the NCC. 

A situation could exist where there are a large number of terminals in addition 
to large numbers of PCs that are not accredited with the system, but are accredited on 
an individual basis to be used with the system. A separate TASO (or TASOs) for these 
PCs could promote better security for the system by ensuring all users understand and 
follow network procedures. In addition, such a person could better manage their 
unique and powerful capabilities. For instance, a site could have at least one TASO 


for each type of terminal approved for the network. 
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In addition to management of network components, accreditation 
documentation should include the role of network security management in all 
implementation and test plans. 

4. Network Procedures 

There are obvious procedures for the NCC and the network in general, that 
must be described in the accreditation package. They include escorts for maintenance 
personnel and other outsiders who have a temporary need to access the NCC or any 
secure network site. Other procedures include password control and issue, and audit 
procedures for regular review of network traflic. However, a gap exists in the guidance 
concerning control procedures for transfer of control to alternate control centers 
(AAC) when/if the NCC is destroyed or damaged. In the generic LAN (Figure 5.2) an 
alternate control center is not identified. Yet, if there was, there are no guidelines or 
requirements for transfer of system control in a distributed computing evironment. 
Thus, there is much flexibilitv in developing procedures for transferring control to 
another center. Plans and procedures developed for this kind of activity should be 
integrated into emergency plans and the COOP. 

Basic accreditation considerations for procedures were brought out above in 
terms of crypto-key handling and disconnects. Besides standard kev storage and 
handling procedures, key procedures could be used to simulate a disconnect on an 
encrypted network by simply not issuing the key to certain users for a designated 
period of time. 

Another accreditation consideration is that system auditing software may or 
may not be acceptable for monitoring software or hardware disconnects. I[n addition, 
the fact that disconnects can or cannot be made at both ends of a transmission link 
should be noted. Thus, extra management procedures may be required for disconnect 
procedures in addition to the associated sanitization procedures. 

5. Significant Applications 

In terms of accreditation of a LAN, significant applications consist of 
software that handles/manipulates information or communications. In terms of the 
overall network, these types of applications need to be explained in terms of their 
compatibility and affect on overall network security and efficiency. Two examples are 
data base and message/mail sending applications. These applications are addressed 


later in the chapter under software. 
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6. Configuration/System Documents Required 
Two important documents are the implementation plan and the ST&E plan. 
These and other major documents required for accreditation are mentioned in the 
beginning of the chapter. 
7. Future Upgrade/Expansion 
Assuming the generic LAN is accredited, any type of network upgrade or 
expansion will require the entire LAN configuration to be reaccredited. 
Reaccreditation is required when there is a: 
1) Significant change to the, phvsical structure of any facilitv containing network 
components. However, it would not applv to devices that were not accredited 
with the svstem unless the reaccredited process increased the sensitivity level 
of the entire network. 
2) Major system hardware addition or replacement... Examples are 
addition/replacement of switches, encryption devices, interface devices, major 
large mainframe, and switching from coax to fiber optic cable. 
3) Change in sensitivitv_processing level or operation, mode category. Examples 
ape SEGRE? ft TOP SECRET and system high to controlled securitv 
operating mode. 
In addition, even if an upgrade/expansion is not planned, a plan for implementation 
and review of additional security features is required for accreditation. Reference step 
5 (requirement 5) in the analytical process outline presented in the beginning of the 
chapter. 
8. Waivers and Exceptions 

Waivers and exceptions must be included in the accreditation documentation. 
If any part of a network cannot meet security guidance requirements, accreditation 
documentation must describe the circumstances and reasons that would impair 
Operation and mission effectiveness. Plans must be included that describe and assure 
continuous progress toward full compliance. The accreditation authority cannot 
delegate authority to grant temporary exception, but may choose to submit it to the 
next higher accreditation level. All exceptions must be reviewed biennially to ensure 


that progress toward full compliance is made. 


H. ADDITIONAL SYSTEM COMPONENT CONSIDERATIONS 
1. ADP Hardware 
Many of the basic device accreditation requirements are addressed above 
under system configuration considerations. In addition to the physical descriptions 
required by the FSP, hardware device descriptions should emphasize inherent security 


features and how they work with the network security features. Other areas to 
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emphasize are the affect of network security features on device performance, internal 
hardware control features, TEMPEST features, and/or low level emanation. 
2. Terminals. 

One point of interest is that terminals attached to the network more than 50% 
of the time must be accredited with the system. With the proliferation of PCs in the 
Army [Ref. 38: p. 4] this could mean great flexibility in a network context provided 
accreditation and approval for network connection 1s obtained for each PC connected 
to the generic LAN. 

A powerful PC could perform many functions in a stand-alone mode, then 
connect to the LAN and communicate with other devices just long enough for the 
necessary data exchanges and distributed processing activity. Much could be 
accomplished by many powerful PCs operating in this manner even if thev were 
connected to the LAN less than 50% of the time. This could be an advantage if 
network traffic is reduced, along with an increase in overall network processing, 
resulting from these PCs. 

The major disadvantage would be the expense of accrediting each, or a group 
of terminals separately. Other considerations include development of access, connect, 
and disconnect procedures. [hese considerations would be further complicated in a 
controlled or multilevel mode because separate accreditation and procedures would be 
required for each security level. For example, if a PC was accredited for system high in 
a multilevel LAN, sanitization procedures would be required before switching to 
another security level. Conversely, a multilevel PC would not require sanitization and 
could be used anywhere in the multilevel LAN. 

3. Software 

Accreditation documentation must include major software (applications, 
executives, and utilities) with descriptions of the impact on network security features. 
General categories that should be included follow, however, there may be more 
depending on unique system requirements. 

a. Protocols 

The most significant gap in terms of network software is that no protocol 
security considerations exist in the guidance referenced. Communication software is 
also ignored by the guidance. Communications software implements the actual 
functional requirements for the transmission and reception of “coded” data for a device 
according to the rules of a specific protocol [Refs. 3,39: pp. 104,449-450]. A 
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description of the protocol and associated communications software should be included 
in the accreditation documentation. Thus, protocol security analysis should be 
integrated with utility and operating system requirements in a way that will allow 
maximum overall network security. The relationship of protocols and system software 
was addressed in Chapter IV. Effects of encryption, audit trail, security features and 
major applications on the protocol, should also be included in accreditation 
documentation. 
b. Data Manipulation Software 

Data manipulation software generally falls under the data _ base 
management or data maintenance categories. The data base is one of the major 
computer-run resource today. Commonly, distributed systems distribute the storage 
among user locations. [Ref. 39: pp. 464-465] Thus, DBMS _ has important 
considerations in a network where information is accessed locally and remotely. 
System developers and managers must be sure it provides/supports audit trail and 
security functions. Data maintenance is another critical consideration because it is the 
access of data anywhere in the system via svstem software executives/utilities. 
Obviously operation and control of data manipulation software must be addressed in 
the accreditation documentation. 

c. General System Software 

As mentioned earlier, operating systems must provide as much internal 
control as possible. A unique situation exists in a network environment because each 
computing device may have different operating systems. Ideally, system software 
should make it easy to add new applications and security features throughout the 
network [Ref. 39: p. 457]. Similarly, each operating system should compliment network 
activities. Descriptions of all tvpes of operating system, utility, and executive software 
should be in the accreditation documentation. 

Software used for testing of the network and network security should also 


be described in accreditation documentation. [Ref. 39: p. 450] 


I. TWO ALTERNATIVE EXAMPLES 
Chapter IV presented considerations for the two operating mode extremes; 
system) high and multilevel. Here, both operating mode examples will be taken one 


step further by looking at high level configuration alternatives for each. 
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1. Generic Configuration - System High or Dedicated Design 

There is not much change in terms of the original configuration for the system 
high or dedicated operating modes. The security issues concerning the configuration at 
a “high level” design stage include determining if it will be a total PDS, whether some 
or all lines will be encrypted, and what buildings and/or equipment should be shielded. 
In addition, combinations of encryption, shielding, and physical protection can be 
considered. Figure 5.2 illustrates an unchanged generic configuration; in terms of a 
PDS, any part of this (Figure 5.2) could be encrypted, shielded, or protected. For 
example, cryptography equipment can be put at each end of major trunk lines to 
encrypt a particular link, without affecting the original configuration. Compare Figure 
5.2 to Figure 5.3 If this encrypted configuration (Figure 5.3) was implemented between 
buildings, it could be configured as depicted in Figure 5.4 Given the major trunks are 
protected by encryption, each individual building, or room(s) containing network 
hardware, would have to be shielded. Another alternative would be to shield all the 
hardware components. In contrast, Figure 5.3 illustrates the generic configuration 
totally encrypted. Only the trunk lines are encrypted in Figure 5.4 

2. Multilevel Example - High-level Design 

The multilevel configuration takes on a whole new shape in contrast to the 
generic configuration. The reason is that the multilevel configuration example does not 
base system control on trusted sophisticated operating system mechanisms like security 
kernels [Ref. 37: p. 283]. The “kernel” is the nucleus of the operating system kept in 
main memory while the computer is operating, and consists of routines that handle 
input/output (I/O), scheduling, and other basic system functions [Ref. 3: pp. 209,263]. 
A security kernel consists of the software, firmware, and hardware in a trusted 
computing device that can be protected from modification, mediate all accesses, and be 
verifiable [Ref. 21: pp. 112,113]. However, the major element in this example 1s the 
trusted interface unit (TIU). 

a. The Trusted Interface Unit (TIU) 

In short, a TIU enables a user to be at just a single security operating 
mode level, or a range of security levels (multilevel). The TIU is a device that checks 
and enforces control labels/fields on each information packet transmitted to it. A 
packet is a group of bits that make up all or part of the message to be transmitted 
[Ref. 3: pp. 276-277]. Messages longer than the network's packet size are broken into 


smaller sections, and consequently are distributed over more than one packet. Control 
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labels and fields identify information required for routing the packet through the 
network to its ultimate destination. Packets not meeting requirements cannot pass 
through the TIU. All computers transmitting to the TIU are trusted to receive and 
send packets at the security level they are approved for. 

Each individual TIU can be set to monitor a single security level or 
multiple levels. Each level of security traffic is isolated from the other. Consequently, 
single level TIUs are restricted to one and only one level. However. variable level 
TIUs are adjusted bv electrically linked ternunal switches or keyboard kevs. The range 
of adjustments correspond to the approved security levels for that particular TIL and 
terminal. Multilevel TIUs must contain fully trusted software, but a network can 
Operate in a multilevel mode using onlv single and variable level TIUs. See Figure 5.5 
[Reis 3 ppa2sle2ssi 
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Figure 5.5 Simple Multilevel LAN. 


b. The Configuration 
The overall design strategy is intended to be easily implemented with “off- 
the-shelf” hardware and protocols. In reality the TIU design strategy creates one 


subnetwork for each security sensitivity level. Each subnetwork is protected at the 
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system high level designated for that subnetwork. Bridges connect each subnetwork to 
form the multilevel network. See Figure 5.6 for a detailed example of the subnetwork 


configuration. [Ref. 37: pp. 281-286] 
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Figure 5.6 Multilevel Subnetwork Configuration. 


The definition of a bridge in the TIU network varies slightly from the 
Chapter II definition. Like the Chapter II definition, the T]U-based definition states 
that identical protocols are used to route packets between LAN subnetworks. But in 


addition, the T1U-base definition requires that the bridge perform security checks to 
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prevent sensitive information from flowing from a higher to a lower level subnetwork. 
The bridge functions are transparent to the T1Us and other devices. What’s more, the 
bridge only checks security levels between the two networks it is connected to. In 
doing this, it does not verify the level of the packet in terms of the source it is from, or 
subnetwork destination. Note in Figure 5.6 that split bridges are used to identify areas 
Where encryption might be implemented; for instance between two buildings. 
[Refi 37: pp 2ac-cor| 

This design example is based on the Ethernet protocol. The concept could 
be applied to the same environment as the generic LAN, but the overall configuration 
would be drastically changed. A possible high level configuration is illustrated in 
Figure 5.7. Note the difference between Figure 5.7 and the generic configuration in 
Pigure 3.2 Reis (peo! 
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Figure 5.7 Multilevel LAN - High Level Configuration. 
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VI. CONCLUSIONS AND RECOMMENDATIONS 


A LAN 1s a= general-purpose local network that is normally used for 
minicomputers, microcomputers, and terminals, but can support many other devices. 
LAN applications and numbers are growing. One reason is that they provide flexibility 
and resource sharing of limited hardware resources. Unfortunately their distributed 
nature increases their vulnerability in terms of securing the information they contain. 
Thus technical computer security guidance must be applied effectively to LAN 
configurations. [Refs. 13,1,4,40] 

In general, application of technical security guidance requires that the vulnerable 
LAN areas must be identified and categorized as risk factors early in the system 
development. Next, these factors must be quantified so the overall system sensitivity 
can be determined, which in turn allows identification of security requirements for the 
system. [Refs. 13,40] 

A summary of the thesis with conclusions follows. Then, some general 


recommendations are presented. 


A. SUMMARY AND CONCLUSIONS 
1. Sensitivity 

Requirements identified in Chapter III indicate that sensitivity is determined 
by the importance of the information processed to the overall Army mission, a need-to- 
know, and unique system features or applications that warrant protection. The 
sensitivity determination controls the type of information and thus the databases which 
could be tied into the network or LAN. Sensitive information can range from mission 
oriented data to non-mission oriented data like large dollar volume inventories and 
personnel data covered by the Privacy Act of 1974. 

The need-to-know requires a “need-to-protect” information contained in the 
system. Protection determines who will access the network and how they will do it, as 
well as the physical protection of hardware components. The protection (1.e. security) 
features must be cost effective and production effective. The first step to implementing 
efficient security features is to correctly select the maximum sensitivity level required 
for the network based on information presented in Chapters IV and V, and then select 


an adaptable security operating mode. 
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All guidance referenced stressed that sensitivity of data be based on a “need- 
to-know” which is a valid approved need, based on damage to national security and 
required for performance of duties [Ref. 20: p. 10]. Army sensitivity designations are 
meme AlLyY SENSITIVE, HIGHLY SENSITIVE, SENSITIVE, and 
NONSENSITIVE. These designation categories have the same requirements as the 
“Orange Book” but different labels. [Refs. 13,21] 

Sensitivity determinations are also affected by compilation. Compilation of 
data occurs when certain types of data/information and large dollar volume assets are 
combined to yield a higher security classification than they would normally be assigned 
individually [Ref. 20: p. 11]. There is great potential for compilation in a network 
because information can be extracted from distributed locations and combined or 
“compiled”. 

As mentioned above, the operating mode classification is dependent on the 
designated network sensitivity level. Security operation modes that apply to all tvpes of 
systems are dedicated, system high, controlled, and multilevel. The more sensitivity 
levels and access flexibility, the more complicated the system, given today’s guidance 
and technology. For instance, the dedicated mode is the least complicated to 
adniunister, but only provides one level of security. Also, dedicated operating mode 
requirements could be applied to any network configuration. Conversely, the 
multilevel mode is more complicated to administer (with current technology), but 
provides simultaneous operation/processing of more than one security classification on 
the same network. In addition, the multilevel mode may not be applied to all 
configurations; an example was presented at the end of Chapter V. [Ref. 13] 

It should be noted that DOD contractors are limited to dedicated, system 
high, controlled and concurrent processing modes. The multilevel mode is not 
addressed for contractors, but concurrent storage and processing of multiple levels of 
information is approved for contractor run and approved systems [Ref. 36: pp. 
173-175,181-182]. Generally, system high protection is required for all components. 

2. Configuration 

LANs have emerged as a practical way to turn mainframe environments into 
distributed networks [Ref. 9: p. 69]. The generic configuration in the thesis uses a 
combination of a bus and star topology to illustrate a LAN. The design is a practical 
administrative network configuration. An Ethernet bus is used to handle host traffic 


while the CBX forms the star configuration used to control user device traffic. 
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Expansion possibilities for the generic LAN include multiple gateways to other LANs 
and wide area networks, and installation of multiple switching locations. User 
applications could be expanded into expert systems, graphics, and relational data base 
svstems. 

It is beyond the scope of the thesis to go into specific security cost 
effectiveness analysis of configurations and components. The purpose is to give the 
reader a better feel for security boundaries in an Army LAN. 

3. The Security Goal 

The goal is to design and implement a secure system that has little impact on 
responsiveness and efficiency of the network conmiponents, as well as the overall 
network. To do this, system vulnerabilities and the impact of system security features 
on network performance must be limited. 

Vulnerabilities must be identified so a sensitivity level is established early, and 
in the design stages of development. Vulnerabilities must be limited to prevent 
penetration of network security. In addition, the access threat is growing, especially in 
terms of communication taps and microwave signal interception from equipment 
emanations. Considerations like accounting and audit trails, individual accountability, 
and data integrity must be included along with physical security. Once a security 
operation mode is chosen, security requirements for each network component can be 
identified. [Ref. 1,5] 

Impact of security features must be a major concern of system developers, 
because network components usually do not have inherent security features. For 
instance, in Ethernet, encryption and general security is the responsibility of the “end- 
user processes.” [Ref. 18: p. 54] When security features are combined with a security 
processing mode a LAN configuration can take on a very different appearance. Again, 
an example of the impact of security on a network configuration was illustrated in. 
Chapter V. It showed that a multilevel system configuration versus system high or 
dedicated mode configuration can be very different, in terms of the resulting 
configuration structure and it’s associated hardware components, like the trusted 
interface unit (TIV). 

The multilevel operating mode was identified as the most complicated and 
therefore the hardest mode to secure and maintain. A particular multilevel operating 
system may not be approved for all applications at a given classification level. 


Moreover, the “system effect” may reduce over-all multilevel sensitivity performance. 
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This is because the operating system is the main component in a true multilevel system, 
although a multilevel environment can be achieved with conventional hardware and 
software. 

In contrast to true multilevel operating system requirements, system high and 
dedicated modes do not require memory partitioning or other memory unique control 
functions in the multilevel sense. System high and dedicated modes do require special 
procedures (sanitization, disconnects, approval, etc.) to move to a higher or lower 
security Operating mode. 

In the final analysis a system must meet user requirements and be robust and 
responsive as well as be secure. Again, security features and the designated network 
operating mode can have a major impact on the design and operation of a network. 
The ultimate goal is to have all security features and procedures totally transparent to 
the users. Lack of network security guidance allows flexibility in pursuit of this goal, 
but at the same time interpretation and accreditation may cause frustration for the 
developer. 

Additionally, this goal may never be fully realized in the real world of Army 
ADP and network system application. The reader should recognize that possible 
problems with development, system acquisition, time constraints, resource/money 
constraints, and general implementation, to mention a few, can have a significant 
impact on the resulting system and it’s security features. Nevertheless, it is beyond the 
scope of this thesis to address or speculate how these factors may affect network 
security implementation and accreditation. At least, the accreditation process forces 
the system sponsor and developers to address security in some way. 

4. Accreditation 

In the rush to modernize ADP systems and continually update software, new 
ideas for regulations and system protection have been sidetracked [Ref. 2: p.3]. There 
is almost nothing in the guidance reviewed for this thesis that pertains to “LANs” 
specifically, and very little in terms of direct references to “networks” in general. But, 
the guidance reviewed does address ADP security topics that relate to general 
LAN/network components. AR 380-380 is used as the focus for all other guidance 
reviewed for this thesis because it is currently the number one guidance for ADP 
security in the Army. 

The guidance does not address LAN security in great detail. Various 


telecommunications, ADP, and ATS components are all used to establish LANs. In 
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addition to interpretation, the developer must derive most LAN requirements 
himself/herself because only a few checklists reference networks directly [Ref. 24,25]. 
Any LAN 1s subject to ATS and general ADP requirements, even if it is purely an 
administrative system, because LANs consist of ADP components and always include 
telecommunications [Ref. 13: pp. 9,31]. Consequently network security guidance for 
accreditation of sensitive systems is obtained as a result of a synergistic effect from 
complying with ADP, ATS, and other types of guidance. Conversely, nonsensitive 
systems don’t require accreditation. [Ref. 13] 

In terms of system security and eventual accreditation, many network 
component and topic areas are not covered or inadequately covered. However, there 
are many regulations that apply to network components. For instance, all sensitivity 
designations and operating modes apply to networks, including compilation. Site 
security must equal the requirements for the highest level of information processed at 
that site. All network components must be protected with shielding, encryption, and 
the appropriate physical security. Before an ADP system, terminal/device, or a 
network can access or interface a specific ADP network, the ADP system, device, etc., 
must meet approval of the DOD component, and the agency operating the network 
(Ref. 22: p. 20]. Any computer (micro, mainframe, etc.) collocated or connected to the 
network more than 50% of the time must be accredited with the system [Ref. 13: p. 9]. 
A final noteworthy example is that privately owned computers cannot be used in a 
sensitive network environment or any type of remote connection to a sensitive 
mainframe computer. [Ref. 13: p. 10] 

In contrast to regulations that apply, regulations that do not apply take on 
two forms - waviers and exceptions. An exception is a case to which a rule does not 
apply [Ref. 31: p. 452]. Exceptions will depend on characteristics unique to the svstem, 
which may include the sensitivity of the information, the characteristics of approved 
ADP equipment, the characteristics of substituted equipment, the results of risk 
analysis, and the organizations involved. In short, exceptions may result because 
security solutions are not feasible. [Refs. 13,32,20]. A wavier 1s a privilege to 
intentionally abandon a known requirement [Ref. 31: p. 1325]. The intent is to provide 
an opportunity to simultaneously fix and operate the network; not an excuse to ignore 
security discrepancies. A wavier is used when complying with guidance would impair 
Operation and mission effectiveness. Note that continuous progress must be made 
toward full guidance compliance and that just one critical component could require a 


wavier for the entire system. 
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In addition to guidance that does and does not apply to networks, there are 
outdated regulations and network topics that are not covered. Guidance has a 
mainframe flavor, for instance, there are references to punched cards. In contrast, 
there are few direct literal references to networks. Mainframes still exist, but networks 
and their applications are increasing, especially in administrative applications [Ref. 41]. 
Thus, specific network and LAN guidance would be valuable. 

The thesis also looked at network security topic areas not covered by the 
guidance. Much interpretation from ADP and ATS guidance is noted throughout the 
thesis. Notable topics not covered include protocols and the impact of PC’s on 
security. The only specific fact is that PCs must be accredited with the system if 
connected for more than 50% of the time [Ref. 13: p. 9]. 

Even though the guidance reviewed does not literally address, and in some 
cases does not apply to LANs, there still is enough guidance to prepare a LAN for 
accreditation. The accreditation process consists of designing a system, documenting 
its Operation and security features as required by the guidance, and preparing the 
documentation for review by a designated approval authority. It includes a series of 
reviews and meetings and ends with the designated approval authorities written 
approval. More risk requires higher command/management levels of responsibility and 
awareness, because the approval level is raised to the next higher authority if 
accreditation requirements can’t be met at a given level. 

5. Physical Protection 

There are no gaps in environmental and physical security requirements; all 
physical requirements apply to LANs. One method of physical protection is the 
protected distribution system (PDS). A PDS is an approved telecommunications 
system that has the required physical and electronic safeguards for safe transmission of 
unencrypted sensitive information. [Ref. 13: p. 76] 

Physical protection varies with emanation protection (TEMPEST) to a 
certain degree. It is not unreasonable to require encryption or shielding, or even have 
a combination of both. Consequently, a PDS could have either shielding or be 
encrypted, or be a combination of both. Price/flexibility trade offs must be determined 
by the organization developing the network to deternune which alternative is most 
affordable, and will allow expansion, for the desired level of protection. 

The Facility Security Profile (FSP) is one of many documents required for 


accreditation. It is the physical security description of all facilities containing network 
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hardware and includes a list of hardware, hardware locations and relationships, and 
general functional operation of the network environment. 

In general, physical security corresponds to the highest sensitivity level 
processed at the network site. Power supply facilities for the network must be 
physically protected at the system high too, because any ADP system or network 
requires electricity to operate. Obviously a network and it’s information is useless 
Without a power supply. Moreover, any security features supported by the same power 
source would be useless. Also, interface requirements parallel standard ADP or 
telecommunications requirements depending on the device characteristics. 

6. Network Access 

Security procedures are required for internet and intranet gateways and other 
interface devices. The procedures should be the result of an agreement by all networks 
involved. Audit procedures and password controls in the form of flexible network 
audit and monitoring features, should provide operators and managers easy tracking of 
data as it is routed through the network, and users on the system. Audit file 
information should be limited to network management. 

In terms of physical controls, personnel access to network sites can be limited 
by physical barriers, security identification badges, TV monitors, and visitor escorts. 
Moreover, access can be limited during emergencies. Emergency procedures for start- 
up, shut-down, and svstem failure must be planned because the network 1s especially 
vulnerable during unscheduled termination of operations [Ref. 13: p. 24-25]. In 
addition, physical access procedures must consider the protection of system 
documentation and media must be protected at system high for the location (this 
includes disks, tape, etc.). Nonetheless, if the system is not multilevel approved, 
evervthing (disks, tape, data, etc.) that goes into the system comes out, and 1s 
controlled, at system high. This includes any input that has a lower system 
classification level. For example, consider an unclassified floppy disk brought into and 
used in a network control center that operates at the SECRET level in a system high 
mode. From that point on the floppy must be labeled and handled as SECRET. 

Encryption and/or shielding is required to secure network devices against 
access via emanations. Isolation transformers and powerline filters are used to prevent 
signal emanations via the power source and its components. In addition to normal 
ADP/ATS encryption devices and software, there is a lot of encryption software 


available for PCs [Ref. 38: p. 4]. Major encryption considerations include extra 


110 


procedures for maintaining signal synchronization throughout the network, and crypto- 
key distribution. 

Given the sensitivity level of the network site, ADP hardware security features 
require isolation of users in regard to the designated security level for internal controls. 
Various external device access controls like locking mechanisms, keys, electronic cards 
etc., may be external device requirements. 

7. Software 

The software guidance is ADP oriented; there was no mention of network 
protocols. Thus, general statements about utility, application, and operating system 
software were presented in terms of how they must work with a protocol to maintain a 
secure network operating environment. In short, a protocol is a set of rules, that 
transform into requirements and specificatidns for the executive, utility, and 
applications software that control network interaction. 

Use of software security packages should be based on cost versus level of 
security protection provided. In other words, it should be analyzed to verify that it 
does work as the vendor claims. Moreover, classified data cannot be protected by 
commercial software alone, so proper management procedures should accompany it’s 
use. For instance, issue of passwords the particular commercial software mav require. 

8. Miscellaneous Network Management Considerations 

Management can best control network security by taking advantage of all the 
system security features. Continuous controls, like audit and monitoring hardware and 
software, can be of great value because networks are inherently unsecure due to their 
distributed nature. But before network management relies on security features, the 
features should be verified and tested. When determining the security mode and actual 
network components, security system verification should be a major consideration. 
For example, verification of “true” multilevel network security is in it’s infancy. This 
may or may not impact a given implementation effort, however it should at least be a 
consideration. 

Given the extra procedures often required for security features and the 
distributed nature of LANs, it may be wise to give more security responsibility to the 
users. In any application, pure distributed data management involves the increased 
Sharing of responsibilities (with users) for managing functions of processing, 


movement, and storage of information. [Ref. 7: pp. 6-8] 
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B. RECOMMENDATIONS 
1. General Protection of the Generic Configuration 

Security considerations and requirements should be identified as early as 
possible in the design phase of the network. Chapter V showed how different 
configurations can result from different security needs. Guidance also stresses early 
application of security features to the overall network design. System security impact 
should be analyzed in terms of procedures, physical requirements (fences, surveillance, 
etc.) cryptography, software, training and management control and monitoring. 
Moreover, configuration considerations must include responsibilities of network 
security and management personnel. At a minimum a network should have a network 
manager, a network security officer (NSO), and at least one terminal area security 
officer (TASO) during the design phase as well as for implementation and operation. 

Given that network guidance is practically non-existant in the guidance 
documents, general guidance pertaining to individual LAN components should be 
followed. For instance, ADP guidance for network computers and ATS guidance for 
network transmission media. 

Internet access should be tightly controlled and limited as much as possible, 
preferably using only one tightly controlled gateway. Dial-up capability should be 
eliminated in networks processing sensitive information, because multiple entry 
alternatives provide many opportunities for unauthorized access. 

In addition, security procedures should provide tight control of ADP storage 
media, especially removeable floppy disks; possibly using classified document control 
procedures. Floppy disks are easy to load, copy, conceal, and steal. 

If encryption is used throughout most of the LAN, encryption keys could be 
used to simulate a software disconnect where certain components could not be 
approved for a temporary higher classification operating mode, and special procedures 
are developed. | 

2. Important Guidance to Reference 

In general, this thesis should be read for an overview, followed by a review of 
AR 380-380, by anyone about to be involved in LAN development. AR 380-380 is the 
focus because it is the current, major document dealing with Army automation security 
guidance. In addition, the Orange Book will provide more background on sensitivity 
designations - the key to ultimate network security requirements. Remember a need- 
to-know and need-to-protect determine the sensitivity which in turn drives the security 


requirements. 
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Note that some guidance encourages common standardized connections of 
hardware to promote Army interoperability goals. In addition, security features should 
be part of any network interoperability plans and goals. [Refs. 13,28,29] 

A unique point in one regulation states that COMSEC testing is currently 
done on request. This should be mandatory for all networks so emanation control can 
be verified. [Ref. 30: pp. 4-5]. 

In terms of organizational position and assignments of personnel, AR 380-380 
provides comments on separate assignment of responsibility for physical and non- 
physical (software security, audits, etc.) security functions. Sensitive personnel 
positions are determined by a need-to-kKnow and the security operating mode. 
[Ref. 13: pp. 6-7] 

3. Future Research 

One major area not covered by guidance is the network impact and specific 
security of PCs. Desk top power in the form of PCs and other microprocessors can 
now do many of the tasks that previously were only performed on mainframes and 
minicomputers. This is an obvious threat when you consider the ease with which a PC 
is moved and connected to a network or another device [Ref: 38: p. 4]. Much research 
should be done in this area. 

Even though ATSs were addressed, no protocol security guidance existed in 
the same regulation: Obviously, protocols are another major LAN component that 
needs be analyzed in terms of Army security guidance and requirements. [Ref: 13] 

Many areas were not covered due to the limited scope of the thesis. First, 
personnel security was not addressed, yet personnel security considerations should be 
one of the most important. Personnel guidance can be found in AR 380-380. 
Furthermore the thesis did not cover all aspects and details of accreditation or all 
aspects and details of contractor security. In addition, the following LAN topics and 
components are suggested for further security analysis and research. 

e Operating systems. 
e Risk management. 


e Nes eucly into current regulations being drafted as opposed to what currently 
applies. 


e System sanitization. 
e Trusted and/or smart interface units. 
e Distributed data storage procedures. 


Suggestions for possible future guidance research areas are listed below. 
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e More detailed network security analysis into one or, more of the. securitv 
seus mode designations, possibly using this thesis and expanding it in 
etail. 
e Multilevel trends in security technology and their application to networks. 
e Distributed processing security. 
e Encryption of data over a network. 


e AppLY this thesis to a specific network and point out specific deficiencies in 
guidance. 


e Explore more aspects of the accreditation process in more detail. 


e Development of an accreditation plan or regulation document that covers 
detailed requirements for ADP systems, ATSs, and networks. 


e Develop detailed guidance for LANs. Use this thesis as a primer and 
background for developing such guidance. 


e Develop security guidance for distributed network control. 


C. FINAL COMMENTS 

New technology developments should be used when possible to enhance the 
robustness, responsiveness and efficiency of any computer network. User resource 
limitations require that the network vields cost effective operation and installation. 
Nonetheless, military requirements for protection of sensitive information processing 
may prove to be a challenge in terms of network operation and performance. 
Performance factors should not degrade the level of protection of the system 
[Ref. 22: p. 2]. Conversely, the security requirements should not degrade the network 
to the point of uselessness. Consequently, military guidance interpretation can be 


difficult, especially when/if it does not keep up with technology. 
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APPENDIX 
SECURITY GUIDANCE SUMMARIES 


1 INTRODUCTION 
Army Regulation 380-380 (AR 380-380) is covered in more detail than the other 
regulations because it is the one regulation specifically dedicated to automation 


security. 


2, REGULATION/GUIDANCE SUMMARIES 
a. ARMY REGULATION 380-380: Automation Security, 8 MAR 85 
1. Purpose. 

AR 380-380 was developed to provide a minimum standard for all non- 
conflicting areas and areas where higher guidance does not exist. Thus, it is not 
intended to duplicate higher guidance. However, the more stringent requirement will 
take precedence when there is a conflict. Conflicts between agencies are possible 
because many other agencies govern certain Army ADP systems. Some examples are 
the Defense Intelligence Agency (DIA), National Security Agency (NSA), and Defense 
Communications Agency (DCA). | 

In general this regulation is designed to address automation security and 
allow accreditation authorities and individual commanders to apply stricter controls 
and procedures, if necessary. [Ref. 13: p. 3] 

Another major function is to describe the Army Automation Security 
Program (AASP) which consists of ADP system security and automation resource 
subject areas. Automated data processing (ADP) system security includes: security 
management, software security, hardware security, procedural security, 
communications security, personnel security, document security, physical and 
environmental security. Automation resources include: all computer equipment, 
remote terminals and peripherals, programs, data, associated documentation, 
contractual services, personnel, supplies, facilities, intelligent terminals, minicomputers, 


microprocessors, and automated office systems. 
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2. General summary. 

The following AR 380-380 chapter summaries identify important items 
related to LAN security, and network or security related ADP. 

(1) Chapter 1. Overview. This chapter is an overview of basic security 
guidance covered in AR 380-380. After the general purpose (explained above), basic 
ADP security responsibilities from the highest to the lowest levels are explained. 
Positions identified that apply to LAN security are the terminal area security officer 
(TASO), network manager, and network security officer (NSO). The TASO is 
“appointed for the remote terminal(s) and interface devices(s) connected with a host 
computer.” A network manager is “assigned when two or more automated systems join 
to participate in networked operations. He or she will prescribe security mode and 
requirements, protocols, and standards for the network.” A NSO is “appointed for 
each network processing sensitive defense information. Note that NSO responsibilities 
include network access and connectivity control; security impact evaluations of 
network changes and interfaces with other networks; and maintaining a network 
security profile. [Ref. 13: pp. 3-5] 

Mayor policies include that all computer facilities and operations will 
be designated either as critically sensitive, highly sensitive, sensitive, or nonsensitive, 
and that system security applied at the beginning of the design is more cost effective in 
the long run. AR 18-1, AR 105-22, AR 1000-1, and DAR MISC Pub 28-24 are cited 
as references. Additionally, network security measures must be established before 
internetting operations begin (between both/all networks). Any ADP system, sensitive 
or higher, must pass all accreditation processes. {Ref. 13: pp. 5-6]. 

Minimum Department of Defense (DoD) requirements are identified 
and include individual accountability, physical and environmental control, system 
stability, data integrity, system reliability, communications links, and classified and 
unclassified national security information. [Ref 13: p. 6] 

General ADP, information sensitivity determination, and sensitivity 
levels, can be changed to more restricted limits if an accreditation authority determines 
that the sensitivity designations are too broad. 

Conversely, an accreditation authority can move to one sensitivity 
level lower than prescribed, if the following conditions are met: the volume of sensitive 
information processed is low, the sensitive information is always confined to a specific 


area, adequate and continuous protection is exercised at each sensitivity level, and 
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personnel are properly cleared. In addition, all sensitive personnel positions must be 
formally defined. 

The four basic levels of security are Critically Sensitive (CS), Highly 
Sensitive (HS), Sensitive, and Nonsensitive. The CS level is broken down into 
sublevels: Level 1 (CS1) for sensitive compartmented information (SCI) or Single 
Integrated Operational Plan--Extremely Sensitive Information (SIOP-ESI); Level 2 
feeeior TOP SECRET; Level 3 for SECRET/CONFIDENTIAL. [Ref. 13: p. 6] 

Operational service modes for the purpose of this regulation are 
identified as local, remote batch, remote interactive, and networked. Local is the least 
complicated service mode, remote batch and remote interactive are progressively more 
complicated, with networked considered the most complicated. The more complex the 
operational service mode, the more vulnerable it becomes; this is one key factor in 
determining the vulnerabilitv and risk of the system. 

In short, access control topics are concerned with a need to know 
using only the resources needed and is dependent on security processing modes and 
restrictions. Also, requirements, characteristics, and basic features for the multilevel, 
controlled, system high, and dedicated security processing modes are addressed along 
with periods processing. [Ref. 13: pp. 7-8] 

If intelligent terminals, minicomputers, and microprocessors are 
collocated or connected to another automated system, more than 50% of the time, the 
terminals, etc., must be accredited with that system. This assumes a LAN or ADP 
system requires accreditation. In terms of automated administrative systems, any 
svstem attached to a sensitive system requires accreditation. Word processing work 
stations are considered remote terminals and should be part of the accreditation and 
risk management documentation. [Ref. 13: pp. 9-10] 

Additionally, privately owned computers are discouraged. They must 
comply with AR 380-380 and accreditation requirements, and be used in a stand alone 
configuration. All information processed becomes property of the Army organization 
in Which the computer is used. [Ref. 13: p. 10] 

The first chapter of AR 380-380 also addresses accreditation 
authority designation requirements, and waivers and exceptions of security 


requirements. 
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(2) Chapter 2. U.S. Army Automation Security Program (AASP). The 

U.S. AASP was developed to achieve the most economical and effective security for 
Army ADP systems. Some management responsibilities include “ensuring that new 
systems, or major revisions of existing systems include automation and 
communications security in their design’; and “that construction of new automation 
facilities conforms with the security requirements of this regulation.” [Ref. 13: p. 10] 

Other topics covered relating to AASP are implementation at the 
Headquarters, Department of the Army (HQDA) and major Army command, 
post/installation-level, and data processing activity (DPA). In addition, the U.S. Army 
Automated Data Processing Systems Security Enhancement Program (ADPSSEP) and 
the DoD Security Evaluation Center are addressed. [Ref. 13: pp. 10-11] 

Network processing and security implementation includes [Ref. 13: p. 
Li: 


e Ensuring “the establishment of minimum standards for the security and 
operation of the network and ensure adherence ; 


e Ensuring implementation of a system wide network risk management program 
and network security procedures; 


e “Periodic review of network security’; 


e Providing configuration management (software and hardware), and making sure 
software and hardware is tested and approved before use. 


(3) Chapter 3. Physical and Environmental Security. “This chapter 
provides standards and criteria for physical security measures required to safeguard - 
fixed and mobile data processing activities.” Physical security must be included in a 
balanced automation security program. The objectives include: safeguard personnel; 
prevent unauthorized access; safeguard against espionage, sabotage, damage, & theft; 
reduce exposure to threats that disrupt service. Note - only limited aspects of Chapter 
3 are addressed in the thesis. 

Physical security principles covered include barriers, procedures, 
construction standards, and physical access controls. Areas addressed in Chapter 3 
apply to remote terminals, nodes, peripherals as well as the central computer complex. 
[Ref. 13: pp. 12-16] 

(4) Chapter 4. Personnel Security. Personnel security and surety was not 
included in the scope of the thesis. Nonetheless, Chapter 4 covers general personnel 
policy, implementation of the Personnel security and Surety Program (PSSP), initial 


evaluation and screening, selection and retention criteria, personnel security 
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investigations, local national employees, security briefing and debriefing, and PSSP 
maintenance. [Ref. 13: pp. 16-18] 

(5) Chapter 5. Communications Security. In terms of LAN security, 
communications security (COMSEC) and terminal access are two important topics 
covered in this chapter. Army COMSEC “policy requires that all record 
telecommunications will be secured by either encryption in approved cryptographic 
systems or protected distribution systems (PDSs)”. In addition “all circuits used to 
interconnect remotely located components of Army automation systems or networks 
will be provided COMSEC protection under the provision of AR 530-2.” By 
consequence, methods for achieving COMSEC are addressed also. Topics relating to 
terminal access include locking and unlocking, and physical and logical disconnects. 

Other topics covered in Chapter 3 are system password generation 
and control, and communications security planning. [Ref. 13: pp. 18-19] 

(6) Chapter 6. The importance of hardware security is stressed in 
Chapter 6. In general, areas covered include guidance on hardware security policy, 
desirable hardware security features, and considerations outside the CONUS. In 
relation to LANs, desirable HW security features are hardware/firmware that isolate 
users from each other and constantly monitor the system to identify terminals and 
users logged into the system. [Ref. 13: pp. 19-20] 

(7) Chapter 7. Software Security. For the purpose of AR 380-380 
software is broken down into general purpose, executive, utility, and software 
categories. Areas addressed are general software security guidance, operating system 
security features, data base management system (DBMS) features, and software 
Security packages. It should be noted that “classified data will not be protected solely 
by commercial software. In addition, classified data processing requirements will not 
be used as the sole justification for acquisition of such software.” 

Areas of Chapter 7 that apply to LAN security include items that 
address remote access, identification of remote terminals, and control of remote 
terminals via software. Also, shared data bases are addressed. [Ref. 13: pp. 20-22] 

(8) Chapter 8. Procedural Security. “The purpose of this chapter is to 
prescribe procedures and techniques which can be applied to improve control, reduce 
risks, and counter inherent vulnerabilities of a data processing activity (DPA) or” an 
automated teleprocessing system (ATS). Areas covered in this chapter include: 

- Management considerations. 


- Software design. 


Ue 


- Start-up, shutdown, and system failure procedures. 
- Control of over-the-counter batch jobs. 

- Control of teleprocessing systems jobs. 

- Continuity of Operations Plan (COOP). 

- Accountability procedures. 

- Security of ADP media. 

Topics that relate to LAN security include facilities configuration 
management; system start-up, shutdown, and failure affects on remote devices; and 
control of ATS jobs. Note that requirements pertaining to ATS jobs are mandatory 
for all new Army systems. [Ref. 13: pp. 22-29] 

(9) Chapter 9. Risk Management. Risk management must be a 
responsibility of each command “because each computer site and operating 
environment is unique, there are no standard remedies or checklists which can be 
applied. .. Management must identify the resources to be protected and analyze the 
risk of espionage, sabotage, damage, and theft to determine the minimum level of 
protection needed.” Generally the objective of risk management is to obtain safeguards 
against unauthorized access and manipulation of information. Note that Appendix O 
addresses procedures for identifying vulnerability and penetration areas. Areas covered 
in Chapter 9 include [Ref. 13: pp. 29-30]: 

e Risk Management Methodology. 
e Risk Assessment. 

e Management decision. 

e¢ Control implementation. 

e Effectiveness review. 

e Implementation. 

(10) Chapter 10. Accreditation. Accreditation is addressed in Chapter V 
of the thesis. 

(11) Chapter II. Automated telecommunication systems (ATS). 
Automation security for ATSs applies to contractor operations as well as Army ATSs. 
Two key areas of ATSs concern configuration control and the peripheral/system 
approach. 

Configuration control requires that rigid configuration management 
procedures be established. “Prior to modification, addition, or deletion of any 


software, firmware, or hardware, a detailed comparison must be made with the 
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approved system baseline. In addition, an analysis will be conducted of all possible 
effects on system security.” Before development or procurement of any ATS 
hardware/software, it must meet all requirements in security regulations/guidance 
except when waivers or exceptions apply. Moreover, “interoperation of Army ATSs 
with those of other DoD or Federal agencies requires an awareness of all applicable 
security requirements.” [Ref. 13: pp. 32] 

In the peripherals/svstems approach “all system components share 
the assigned security level. Security considerations must be addressed during 
development, implementation, and operation of modems, multiplexers, front end 
processors, remote terminals, video/graphic devices, and input/output devices.” 
vein! 3: p. 32] 

Other areas covered in Chapter 11 include [Ref. 13: pp. 31-32}: 

e ATS responsibilities. 

e Processing modes and restrictions. 

e Protection of documentation. 

e Media security. 

e Personnel security requirements. 

e Risk assessment and accreditation. 

e File access controls. 

e Interoperational requirements. 

e Maintenance agreements and contracts. 

(12) Appendixes. The following appendixes apply to LAN security 

considerations [Ref. 13: pp. 40-69]. 

e Appendix D - Facility Security Profile (FSP) 


e Appendix F - Compilation of Security Protection Guidance for Processing in 
the Controlled Security Mode. 


e Appendix G - Periods Processing Procedures. 

e Appendix H - Automation Security Checklist. 

¢ Appendix I - Accreditation Document Format [Ref. 13: p. 58)] 
e Appendix J - Privacy Safeguards For Automated Systems. 

e Appendix M - Operating System Security Features 


e Appendix O - System Vulnerablilities and Penetration Techniques 
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b. ARMY, REGULATION 380-5: Department of the Army (DA) Information 
Security Program, 15 FEB 85 


In sum, “this regulation gives instructions and assigns responsibilities for the 
effective implementation and application of DoD Information Security Program 
policies at all levels of DA.” For ADP systems in general, this regulation applies to all 
classified information processed. Understandably, ADP of communications security 
(COMSEC) is a major concern. [Ref. 20: p. 6] 

Classification of information in terms of compilation is one area of AR 380-5 
that relates to LANs and ADP in general. Compilation of information is when “certain 
information that would otherwise be unclassified may require classification when 
combined or associated with other unclassified information.” This is important in 
research, development, test, and evaluation where each program has a security 
classification. Compilation areas covered include classification determination, ADP 
labels, and data formats. [Ref. 20: pp.10-12,19] 

A topic directly related to LAN security is transmission of data. Marking of 
electronically transmitted messages relates to security levels [Ref. 20: pp. 19] 
Transmission of TOP SECRET, SECRET, and CONFIDENTIAL INFORMATION 
levels is addressed. Encryption is a major requirement for transmission of data 
[Ref. 20: pp. 36-37] Exceptions may be authorized by head of the Component (Army, 
Navy, Air Force, or Marine), if it offers some degree of protection. All exceptions that 
do not meet the minimum standards in chapter 8 must be approved by Deputy Under 
Secretary of Defense (Policy) (DUSD(P)). “The ACSI approves exceptions within the 
Army.” [Ref. 20: pp. 36-37] 

c. ARMY REGULATION 18-1: Army Automation Management, 15 SEP 80 

AR 18-1 sets the framework for policy and responsibility, and delegates 
authority for Army automation, but does not apply to embedded ADP systems or 
configurations. AR 18-1 goals include [Ref. 28: p. 1-1]: 

e Permit MACOM management flexibility. 

e Shorten/streamline acquisition process. 

e “Encourage decision making at the lowest practical level.” 

e “Stress decentralization as a management concept for automation.” 

e “Insure total systems requirements are integrated to the overall force structure.” 
Moreover, a valid mission need is required to initiate a project and may be the result of 
a projected deficiency or outdated system, a change in threat, a_ technological 


opportunity, or a chance to reduce operating costs. [Ref. 28: pp. 1-1 - 1-2] 
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Once a project is under development, “achievement of program goals, rather 
than time-phased milestones, will be the controlling factor.” Other life cycle policies 
covered include standardization and interoperability, communications support (defined 
at beginning of system planning), and stand-alone computer management. 
[Ref. 28: pp. 2-1 - 2-2] 

Remaining network related topics, addressed in terms of development costs, 
are classes of systems, system decision authorities, and authority to acquire 
administrative systems. Cost estimates must include telecommunications cost and 
ADP cost. [Ref. 28: pp. 4-0 - 4-1] 


d. TECHNICAL BULLETIN TB 18-100; Army Automation Life Cycle 
Management, 15 Aug 81 


TB 18-100 provides a systematic approach to ADP life cycle management by 
tying life cycle management procedures to requirement documentation and acquisition 
procedures. It also applies to acquisition and management development of ADP 
resources and ADP systems that are subject to AR 18-1. TB 18-100 does not apply to 
systems acquired under AR 1000-1. The objective is to insure that mission 
program/project objectives and requirements are described in mission terms and not in 
ADP terms, telecommunications requirements for systems are identified, and 
automated systems are properly secure. [Ref. 34: p. 2-1] 

Planning and documentation topics covered in TB 18-100 do not directly 
address LAN security. For example, management strategy is mostly related to 
acquisition. However, standardization and electronic spectrum allocation are two 
design considerations that relate to LANs and ADP in general. In terms of security, 
TB 18-100 specificly states that “it is much more expensive and difficult to add security 
tO or introduce security into an already functioning system than it is to include it 
during the early stages of the life cycle.” [Ref. 34: pp. 2-1 - 2-4] 

The last point of interest is that telecommunication requirements must be 
approved according to AR 105-22 before acquisition can be processed. No other 
major LAN security topics were mentioned. [Ref. 34: p. 3-1] 


e. ARMY PAMPHLET = 18-4: Processing Installation Review/Evaluation 
Checklist, | SEP 85 


This pamphlet is a series of checklists designed to be used by heads of army 
staff and major Army command automation management offices/officers (AMO), and 
by DPIs for annual self evaluation audits. The checklists in Pamphlet 18-4 will be used 


when an equipment upgrade takes place, when a new AMO or DPI manager is 
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assigned, a major reorganization occurs, and in those years when a Department of 
Army automatic data processing management review is not conducted. [Ref. 24: p. i] 
Fifteen major list categories (chapters) are identified by Pamphlet 18-4, within 
each category sub-checklists exist for specific areas. Categories (chapters) and sub- 
checklists that relate to LAN security are listed below. 
e CHAPTER 1 - GENERAL INFORMATION (addresses Privacy Act of 1974). 
e CHAPTER 2 - ORGANIZATIONAL MANAGEMENT 
- Security management. 
- Security planning. 
- Security coordination. 
- Accreditation. 


e CHAPTER 5- AUTOMATED DATA PROCESSING EQUIPMENT (ADPE) 
OPERATIONS MANAGEMENT (includes Operations Security). 


¢ CHAPTER 11 - DPI FACILITY MANAGEMENT 
- Physical security. 
- Access control. 
- Remote terminal protection. 
e CHAPTER 15 - COMMUNICATIONS 
- Network configuration/ optimizations. 
- Communications security/emanations security. 
- Remote access security. 


f, ARMY PAMPHLET 18-7: Automatic Data Processing Management Review 
Guide, 3 DEC 85 


The purpose of this pamphlet is to assist Army ADP management review 
teams (MR) in reviewing and reporting on efficiency and effectiveness of Army ADP 
organizations, and managers who are having their ADP areas reviewed. The objectives 
are to identify management difficulties, determine the causes of management 
difficulties, and develop recommendations for solutions to these difficulties. [Ref. 25: p. 
3] 

In addition, Pamphlet 18-7 also points out that Pamphlet 18-4 is a checklist to 
be used as a point of reference and that it is just a checklist, nothing more. [Ref. 25: p. 
7] 
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g. LY REGULATION 530-2: Communications Security (COMSEC), 1 SEP 


“The Army’s COMSEC goal is to provide total security for all electrically 
transmitted information from the originator to the recipient.” AR 530-2 prescribes 
responsibility and policy for COMSEC in the Army and implements National 
Communications Security Directive and DoD Directive 5200.5. Army publications 
that identify COMSEC responsibilities must conform to this regulation. AR 530-2 
applies to all Army units responsible for conducting research, development, test, and 
evaluation (RDTE) of COMSEC and telecommunications hardware. [Ref 29: pp. 2-3] 

Many areas of AR 530-2 pertain to LAN security; some general points follow. 
In terms of secure communications, encryption in an approved system is stressed 
throughout AR 530-2 because encryption is the best defense against foreign 
exploitation of telecommunications. Yet the regulation points out that “COMSEC 
measures that are effective today may not be adequate in the future because of 
advances in COMINT technology. Therefore, COMSEC measures in use must be 
continuously evaluated.” Furthermore, all record telecommunications will be secured 
by either a protected distribution system (PDS) or encryption in approved 
cryptosystems. Record telecommunications is defined by AR 530-2 as the 
telecommunications or teleprocessing of record information. In general, AR 530-2 
requires the use of NSA approved cryptographic equipment and commercial 
communication equipment that meets Federal Standard 1027. [Ref. 29: pp. 2-3] 

Clear text transmission of national security information is another area that 
pertains to LAN security. AR 530-2 “prescribes DA procedures to be used for the 
unsecured electrical transmission of classified information during emergency situations. 
It also prescribes criteria under which PDS (formerly known as Approved Circuits) 
may be established and used for transmission of classified information under a variety 
of situations.” PDSs use physical and electromagnetic safeguards to obtain a secure 
conimunications system and is defined by AR 530-2 as a wire line or fiber optic system 
that permits transmission of unencrypted information. [Ref. 29: pp. 10,15] 


h. ARMY REGULATION 18-7: Automatic Data Processing Management Review 
Program, 30 NOV 84 


Besides establishing policies, responsibilities, and procedures for implementing 
the Automatic Data Processing (ADP) Management Review (MR) Program, it includes 
review of automation management office installations (AMO), data processing 


installations (DPIs), and the contractors under their purview. 1 [Ref. 23: p. 2] 
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AR 18-7 does not contain any specific guidance for LAN security; it contains 
an overview of topics and a reference to general polices, regulations, and pamphlets 
that affect management of ADP resources. Topics listed that relate to LAN security 
are the telecommunication plan, the configuration management plan, physical security 
communications, and ADP operations. 


1. ARMY _ TECHNICAL BULLETIN TB 18-107; Army Automation Automatic 
Data Processing Equipment Operations Management, 3 FEB 86 


The purpose of TB 18-107 is to implement certain provisions of AR 11-2, 
provide guidance for general purpose ADPE, and establish standards and prescribe | 
procedures to manage DPIs. The major objectives are to provide DP managers with 
basic guidance and provide functional staff and management with a _ basic 
understanding of ADP operations. [Ref. 27: p. 1-1] 

Two specific topics relating to LAN security are data control and ADP 
equipment sharing. The data control function involves production of “an auditable 
record of data as if it is routed through the various stages of processing. This concept 
is important in a service center operation, but it also applies in network environments 
and distributed systems.” Equipment sharing may be done only if the quality or 
security of mission-related support will not be degraded, and not cost too much. 
[Ref. 27: pp. 2-1,7-1] 

ik AG REG Clgee ce 380-53: Communications Security Monitoring, 15 


This regulation sets forth, policy, procedures and responsibilities for COMSEC 
monitoring within the Army. Most of the regulation deals with voice traffic over 
telecommunications systems. Basic objectives which apply to LAN security include 
providing information for improving the security of Army telecommunications, and 
deternuning the amount of security achieved by US codes, COMSEC techniques, 
cryptographic equipment and devices, and other related measures [Ref. 30: pp. 3-4] 
Procedures for determining transmission susceptibility, such as vulnerability and 
emanation surveys, are addressed. [Ref. 30: p. 5] 

k. DEPARTMENT OF DEFENSE (DoD) MANUAL DoD = 5220.22-M: 
Steet Security Manual for Safeguarding Classified Information, 1 MAR 

DoD 5220.22-M establishes the requirements for safeguarding all classified 
information to which contractors have access or possession. It addresses common 
situations Where a contractor needs access to classified information to perform 
requirements of the contract, and applies to pre/post-contract activity and government 
sponsored R & D activities. [Ref. 36: p. 1] | . 
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One section provides security requirements for ADP systems. In general. “it 
specifies conditions and prescribes security requirements under which ADP systems will 
be operated when handling classified information.” ADP topics addressed that relate 
to LAN security are word processing systems, ADP system security procedures, 
security of remote ternunals (including physical disconnects), physical securitv, and 
transmission security. Topics for ADP system security procedures include approval, 
upgrading, downgrading, and media/equipment clearance procedures. [Ref. 36: pp. 
171,177-178,184,186-190] 


lL DoD DIRECTIVE 3215. 
Evaluation Center, 25 O 


_ a Dir 5215.1), SUBJECT: Computer Security 

“This Directive establishes the DoD computer Security Evaluation Center 
(CSEC), provides policy, and assigns responsibilities for the technical evaluation of 
computer system and network security, and related technical research.” 

The policy provided by this directive states that the Consolidated Computer 
Security Program (CCSP) will include resources for the operation of the CSEC and 
generic computer security activities of DoD components. In addition. DoD 
components (Army, Navy, Air Force, and Marines) must perform security research, 
development, test and evaluation (RDT&E), and application-dependent research and 
development for, specific DoD component systems. Moreover, CSEC activities and 
products must complement established responsibilities of DoD components in relation 
to security, policy, and evaluation of computer systems. Thus, this directive contains 
only policy guidance for ADP and network security. [Ref. 26: pp. 1-2] 

m. DoD MANUAL 5200.28-M: ADP Security Manual Techniques and Procedures 
for Implementing, Deactivation, Testing, and Evaluating Secure Resource- 
Sharing ADP Systems, JAN 73 

The major objective of DoD 5200.28-M is to provide guidelines, techniques, 
and procedures to be used to: 

e Prevent unauthorized access of classified information. 

e Develop, acquire, establish methodologies, techniques, standards, and 
procedures for design, analysis, test, evaluation, and approval, of ADP systems 
and components. 

e Establish methodologies physical protection of ADP systems and components. 


e Prescribe standards, criteria, and specifications for deactivation of secure ADP 
systems and for sanitization. 


The manual states that requirements within it could adversely affect the use of 
any ADP “system under today’s rapidly changing ADP technology... This technology 


is dynamic and the methods chosen to secure a particular system must accommodate 
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new developments without degrading the level of protection.” By consequence, the 
Manual recognizes that techniques described within it may not be economically 
justified after a cost versus risk evaluation. So, appropriate subsets of the techniques 
included in this manual, may be used to gain the level of security required to secure a 
system. Techniques not included can be used if they provide the degree of security 
specified in DoD Directive 5200.28. {Ref. 22: pp. 1-6] 

Topics covered in this manual relating to LAN security include ADP System 
Security, dedicated and multi-level security modes, remotely accessed resource-sharing 
computer systems, physical security, communications security, emanations security, 
hardware and software security features, and audit logs and files. [Ref. 22] 

n. DoD COMPUTER SECURITY CENTER CSC-STD-001-83: DoD Trusted 
Se System Evaluation Criteria (Also Known as the “Orange Book”), 15 
AUG 83 

The criteria in DoD CSC-STD-001-83 provides a basis for security 
effectiveness evaluation of security controls built into ADP systems. The criteria are 
divided into four broad hierarchical divisions: A, verified protection (most secure); B, 
mandatory protection; C, discretionary protection; and D, minimal protection (least 
Secure). The criteria objectives: 

e To provide users with a vardstick with which to assess the degree of trust that 
can be placed in, computer systems for the secure processing of classified or 
other sensitive information. 

e "To provide guidance to manufacturers as to what security features to build 
into thier new and planes commercial products, in order to provide widely 
available systems that satisfy trust requirements for sensitive applications. 


e “To, provide a basis for specifying security requirements in acquisition 
specifications.” [Ref. 21: p. v] 


Orange Book evaluation criteria labels correspond to AR 380-380 sensitivity labels: 
e Verified protection (A) applies to the critically sensitive level (CS). 
e Mandatory protection (B) applies to the highly sensitive level (HS). 
e Discretionary protection applies to the sensitive level. 
e Muinimal protection applies to the nonsensitive level. 

Two sets of requirements are identified for secure processing: “specific 
security feature” and “assurance” requirements. Specific security feature requirements 
are application independent and involve the capabilities usually found in ADP systems 
that use general-purpose operating systems (separate from applications programs on 
the system). However, specific security feature requirements may have to be 
interpreted when applying the criteria to specific applications or special ADP 
environments. [Ref. 21: pp. v,2] 


128 


Assurance requirements apply to all ADP systems and computing 
environments; from dedicated controllers to full range multilevel secure resource 
sharing systems. Therefore, no special interpretation is needed for application across 
any ADP system or application processing environment. [Ref. 21: pp. v,2] 


0. DoD DIRECTIVE 5200.28: Security Requirements for Automatic Data 
Processing (ADP) Systems, 18 AUG 72 


Seer Urpose: 


1) Set uniform policy to protect, classified data stored, processed, used in, 
communicated, displayed, or disseminated by ADP Systems. 


2) In addition to the controls required by the security classification of. the 
material, permit. the application, of access and distribution limitations 
imposed on classified data and information. 


3)  Prescribes security requirements and specify conditions under which “ADP 
Svstems will be operated when handling ‘classified material and assigns 
responsibility for the testing, evaluation, and approval of such systems. 


4) Provide “for the application of administrative, physical, and personnel 
security measures. 


5) Authorized publication of “a DoD Manual of Techniques and Procedures 
for Implementing. Deactivation, Testing. and _ Evaluating - Secure 
Resource Sharing ADP Systems... DoD 5200.28-M.” [Ref. 32: .pp 1-2] 
e Objectives - to establish that: 


1) ADP Ae security controls are interrelated with normal system 
controls. 


2) System securitv_requirements/controls enhance the reliability, integrity, 
and operation of an ADP System. 


3) “The basic ADP system reliability and integrity features prevent 
SOMES access and manipulation with reasonable dependability. 
eb 3225p 


Topics covered in this manual relating to LAN security include ADP system 
security, dedicated and multi-level security modes, remotely accessed resource-sharing 
computer systems, physical security, communications securitv, and emanations 
security. [Ref. 32] 


p. NATIONAL COMPUTER SECURITY CENTER PUBLICATION NCSC- 
WA-002-85: Personal Computer Security Considerations, 1985 


This publication addresses issues that are pertinent to microcomputer security 
in the home and business environment. It is NOT a formal government policy 
document, but rather an information memorandum. [Ref. 33: p. i] 

NCSC-WA-002-85 notes that personal computers offer an unlimited 
opportunity for intrusion into mainframe computers and networks (assuming the PC 
has communication hardware/software). It indicates that transmission of sensitive 


information from a PC to another device is the responsibility of the user. In terms of 


communication security, dial-back procedures are considered questionable, with 
encryption identified as a “sure method” of protection. Dial-back procedures cause the 
PC to disconnect the caller, check a list of authorized IDs, and call back. [Ref. 33: pp. 
Sl 

Again, PC data transmission and communication attacks are addressed in the 
publication. However, the publication is most concerned with security of a stand-alone 
PC. [Ret33 somal 
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